Delete a snooze schedule for a rule

DELETE /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • ruleId string Required

    The identifier for the rule.

  • scheduleId string Required

    The identifier for the snooze schedule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given id does not exist.

DELETE /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId} 
curl \
 --request DELETE 'https://localhost:5601/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Delete agent configuration

DELETE /api/apm/settings/agent-configuration
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
DELETE /api/apm/settings/agent-configuration 
curl \
 --request DELETE 'https://localhost:5601/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '"{\n    \"service\" : {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    }\n}\n"'
Request example
Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. 
{
    "service" : {
        "name": "frontend",
        "environment": "production"
    }
}
Response examples (200) 
{
  "result": "string"
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Dashboards

Delete a dashboard Technical Preview

DELETE /api/dashboards/dashboard/{id}
Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

DELETE /api/dashboards/dashboard/{id} 
curl \
 --request DELETE 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Reassign an agent

POST /api/fleet/agents/{agentId}/reassign
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

Responses

POST /api/fleet/agents/{agentId}/reassign 
curl \
 --request POST 'https://localhost:5601/api/fleet/agents/{agentId}/reassign' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"policy_id":"string"}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "policy_id": "string"
}
Response examples (200) 
{}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Update an agent policy

PUT /api/fleet/agent_policies/{agentPolicyId}
Api key auth Basic auth

Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body

Responses

PUT /api/fleet/agent_policies/{agentPolicyId} 
curl \
 --request PUT 'https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"advanced_settings":{},"agent_features":[{"enabled":true,"name":"string"}],"agentless":{"resources":{"requests":{"cpu":"string","memory":"string"}}},"bumpRevision":true,"data_output_id":"string","description":"string","download_source_id":"string","fleet_server_host_id":"string","force":true,"global_data_tags":[{"name":"string","value":"string"}],"has_fleet_server":true,"id":"string","inactivity_timeout":1209600,"is_default":true,"is_default_fleet_server":true,"is_managed":true,"is_protected":true,"keep_monitoring_alive":false,"monitoring_diagnostics":{"limit":{"burst":42.0,"interval":"string"},"uploader":{"init_dur":"string","max_dur":"string","max_retries":42.0}},"monitoring_enabled":["logs"],"monitoring_http":{"buffer":{"enabled":false},"enabled":true,"host":"string","port":42.0},"monitoring_output_id":"string","monitoring_pprof_enabled":true,"name":"string","namespace":"string","overrides":{},"required_versions":[{"percentage":42.0,"version":"string"}],"space_ids":["string"],"supports_agentless":false,"unenroll_timeout":42.0}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "advanced_settings": {},
  "agent_features": [
    {
      "enabled": true,
      "name": "string"
    }
  ],
  "agentless": {
    "resources": {
      "requests": {
        "cpu": "string",
        "memory": "string"
      }
    }
  },
  "bumpRevision": true,
  "data_output_id": "string",
  "description": "string",
  "download_source_id": "string",
  "fleet_server_host_id": "string",
  "force": true,
  "global_data_tags": [
    {
      "name": "string",
      "value": "string"
    }
  ],
  "has_fleet_server": true,
  "id": "string",
  "inactivity_timeout": 1209600,
  "is_default": true,
  "is_default_fleet_server": true,
  "is_managed": true,
  "is_protected": true,
  "keep_monitoring_alive": false,
  "monitoring_diagnostics": {
    "limit": {
      "burst": 42.0,
      "interval": "string"
    },
    "uploader": {
      "init_dur": "string",
      "max_dur": "string",
      "max_retries": 42.0
    }
  },
  "monitoring_enabled": [
    "logs"
  ],
  "monitoring_http": {
    "buffer": {
      "enabled": false
    },
    "enabled": true,
    "host": "string",
    "port": 42.0
  },
  "monitoring_output_id": "string",
  "monitoring_pprof_enabled": true,
  "name": "string",
  "namespace": "string",
  "overrides": {},
  "required_versions": [
    {
      "percentage": 42.0,
      "version": "string"
    }
  ],
  "space_ids": [
    "string"
  ],
  "supports_agentless": false,
  "unenroll_timeout": 42.0
}
Response examples (200) 
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Download an agent manifest

GET /api/fleet/kubernetes/download
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.

Responses

GET /api/fleet/kubernetes/download 
curl \
 --request GET 'https://localhost:5601/api/fleet/kubernetes/download' \
 --header "Authorization: $API_KEY"
Response examples (200) 
string
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package signature verification key ID

GET /api/fleet/epm/verification_key_id
Api key auth Basic auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Responses

GET /api/fleet/epm/verification_key_id 
curl \
 --request GET 'https://localhost:5601/api/fleet/epm/verification_key_id' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get settings

GET /api/fleet/settings
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-settings-read.

Responses

GET /api/fleet/settings 
curl \
 --request GET 'https://localhost:5601/api/fleet/settings' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "delete_unenrolled_agents": {
      "enabled": true,
      "is_preconfigured": true
    },
    "has_seen_add_data_notice": true,
    "id": "string",
    "output_secret_storage_requirements_met": true,
    "preconfigured_fields": [
      "fleet_server_hosts"
    ],
    "prerelease_integrations_enabled": true,
    "secret_storage_requirements_met": true,
    "use_space_awareness_migration_started_at": "string",
    "use_space_awareness_migration_status": "pending",
    "version": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404) 
{
  "message": "string"
}

Get a package policy

GET /api/fleet/package_policies/{packagePolicyId}
Api key auth Basic auth

Get a package policy by ID.

Query parameters

  • format string

    Values are simplified or legacy.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • additional_datastreams_permissions array[string] | null

        Additional datastream permissions, that will be added to the agent policy.

      • agents number
      • created_at string Required
      • created_by string Required
      • description string

        Package policy description

      • elasticsearch object

        Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • privileges object

          Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required

      • inputs array[object] | object Required

        Any of:
        array-1 array[object] object-2 object
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • keep_enabled boolean
        • policy_template string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • keep_enabled boolean
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • namespace string

        The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required

      • vars object

        Any of:
        object-1 object object-2 object

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 404 application/json
    Hide response attribute Show response attribute object
GET /api/fleet/package_policies/{packagePolicyId} 
curl \
 --request GET 'https://localhost:5601/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "additional_datastreams_permissions": [
      "string"
    ],
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404) 
{
  "message": "string"
}

Create a proxy

POST /api/fleet/proxies
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/proxies 
curl \
 --request POST 'https://localhost:5601/api/fleet/proxies' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","id":"string","is_preconfigured":false,"name":"string","proxy_headers":{},"url":"string"}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "certificate": "string",
  "certificate_authorities": "string",
  "certificate_key": "string",
  "id": "string",
  "is_preconfigured": false,
  "name": "string",
  "proxy_headers": {},
  "url": "string"
}
Response examples (200) 
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a proxy

GET /api/fleet/proxies/{itemId}
Api key auth Basic auth

Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read.

Responses

GET /api/fleet/proxies/{itemId} 
curl \
 --request GET 'https://localhost:5601/api/fleet/proxies/{itemId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Update a Fleet Server host

PUT /api/fleet/fleet_server_hosts/{itemId}
Api key auth Basic auth

Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/fleet_server_hosts/{itemId} 
curl \
 --request PUT 'https://localhost:5601/api/fleet/fleet_server_hosts/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host_urls":["string"],"is_default":true,"is_internal":true,"name":"string","proxy_id":"string","secrets":{"ssl":{"es_key":{"id":"string"},"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"client_auth":"optional","es_certificate":"string","es_certificate_authorities":["string"],"es_key":"string","key":"string"}}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "host_urls": [
    "string"
  ],
  "is_default": true,
  "is_internal": true,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "es_key": {
        "id": "string"
      },
      "key": {
        "id": "string"
      }
    }
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "client_auth": "optional",
    "es_certificate": "string",
    "es_certificate_authorities": [
      "string"
    ],
    "es_key": "string",
    "key": "string"
  }
}
Response examples (200) 
{
  "item": {
    "host_urls": [
      "string"
    ],
    "id": "string",
    "is_default": false,
    "is_internal": true,
    "is_preconfigured": false,
    "name": "string",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "es_key": {
          "id": "string"
        },
        "key": {
          "id": "string"
        }
      }
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "client_auth": "optional",
      "es_certificate": "string",
      "es_certificate_authorities": [
        "string"
      ],
      "es_key": "string",
      "key": "string"
    }
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a Logstash pipeline Technical Preview

GET /api/logstash/pipeline/{id}
Api key auth Basic auth

Get information for a centrally-managed Logstash pipeline. To use this API, you must have either the logstash_admin built-in role or a customized Logstash reader role.

Secure your connection

Path parameters

  • id string Required

    An identifier for the pipeline.

Responses

  • 200 application/json

    Indicates a successful call
GET /api/logstash/pipeline/{id} 
curl \
 --request GET 'https://localhost:5601/api/logstash/pipeline/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "hello-world",
  "description": "Just a simple pipeline",
  "username": "elastic",
  "pipeline": "input { stdin {} } output { stdout {} }",
  "settings": {
    "queue.type": "persistent"
  }
}

Create saved objects Deprecated

POST /api/saved_objects/_bulk_create
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • overwrite boolean

    When true, overwrites the document with the same identifier.

application/json

Body Required

object object

Responses

  • 200 application/json

    Indicates a successful call.
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_create 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_bulk_create' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'
Request examples 
# Headers
kbn-xsrf: string

# Payload
[
  {}
]
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Resolve import errors

POST /api/saved_objects/_resolve_import_errors
Api key auth Basic auth

To resolve errors from the Import objects API, you can:

  • Retry certain saved objects
  • Overwrite specific saved objects
  • Change references to different saved objects

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • compatibilityMode boolean

    Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the createNewCopies option.

  • createNewCopies boolean

    Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors.

multipart/form-data

Body Required

  • file string(binary)

    The same file given to the import API.

  • retries array[object] Required

    The retry operations, which can specify how to resolve different types of errors.

    Hide retries attributes Show retries attributes object
    • destinationId string

      Specifies the destination ID that the imported object should have, if different from the current ID.

    • id string Required

      The saved object ID.

    • ignoreMissingReferences boolean

      When set to true, ignores missing reference errors. When set to false, does nothing.

    • overwrite boolean

      When set to true, the source object overwrites the conflicting destination object. When set to false, does nothing.

    • replaceReferences array[object]

      A list of type, from, and to used to change the object references.

      Hide replaceReferences attributes Show replaceReferences attributes object
    • type string Required

      The saved object type.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • errors array[object]

      Specifies the objects that failed to resolve.

      NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a missing_references error and a conflict error.

    • success boolean

      Indicates a successful import. When set to false, some objects may not have been created. For additional information, refer to the errors and successResults properties.

    • successCount number

      Indicates the number of successfully resolved records.

    • successResults array[object]

      Indicates the objects that are successfully imported, with any metadata if applicable.

      NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references.
  • 400 application/json

    Bad request.

    Hide response attributes Show response attributes object
POST /api/saved_objects/_resolve_import_errors 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_resolve_import_errors' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --header "kbn-xsrf: string" \
 --form "file=file.ndjson" \
 --form "retries[]={"id"=>"my-pattern", "type"=>"index-pattern", "overwrite"=>true}" \
 --form "retries[]={"id"=>"my-vis", "type"=>"visualization", "overwrite"=>true, "destinationId"=>"another-vis"}" \
 --form "retries[]={"id"=>"my-canvas", "type"=>"canvas", "overwrite"=>true, "destinationId"=>"yet-another-canvas"}" \
 --form "retries[]={"id"=>"my-dashboard", "type"=>"dashboard"}"
Request example 
{"file"=>"file.ndjson", "retries"=>[{"id"=>"my-pattern", "type"=>"index-pattern", "overwrite"=>true}, {"id"=>"my-vis", "type"=>"visualization", "overwrite"=>true, "destinationId"=>"another-vis"}, {"id"=>"my-canvas", "type"=>"canvas", "overwrite"=>true, "destinationId"=>"yet-another-canvas"}, {"id"=>"my-dashboard", "type"=>"dashboard"}]}
Response examples (200) 
{
  "success": true,
  "successCount": 3,
  "successResults": [
    {
      "id": "my-vis",
      "meta": {
        "icon": "visualizeApp",
        "title": "Look at my visualization"
      },
      "type": "visualization"
    },
    {
      "id": "my-search",
      "meta": {
        "icon": "searchApp",
        "title": "Look at my search"
      },
      "type": "search"
    },
    {
      "id": "my-dashboard",
      "meta": {
        "icon": "dashboardApp",
        "title": "Look at my dashboard"
      },
      "type": "dashboard"
    }
  ]
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Export detection rules

POST /api/detection_engine/rules/_export
Api key auth Basic auth

Export detection rules to an .ndjson file. The following configuration items are also included in the .ndjson file:

  • Actions
  • Exception lists

Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.

You can use Kibana’s Saved Objects UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before importing detection rules.

Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Manage value lists UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.

Query parameters

  • exclude_export_details boolean

    Determines whether a summary of the exported rules is returned.

    Default value is false.

  • file_name string

    File name for saving the exported rules.

    When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.

    Default value is export.ndjson.

application/json

Body

  • objects array[object] Required

    Array of rule_id fields. Exports all rules when unspecified.

    Hide objects attribute Show objects attribute object
    • rule_id string Required

      A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

Responses

  • 200 application/ndjson

    Indicates a successful call.

    An .ndjson file containing the returned rules.

    Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.
POST /api/detection_engine/rules/_export 
curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
  "objects": [
    {
      "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
    },
    {
      "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
    }
  ]
}
Request examples 
{
  "objects": [
    {
      "rule_id": "string"
    }
  ]
}
Response examples (200) 
@file

Assign and unassign users from detection alerts

POST /api/detection_engine/signals/assignees
Api key auth Basic auth

Assign users to detection alerts, and unassign them from alerts.

You cannot add and remove the same assignee in the same request.

application/json

Body Required

  • assignees object Required

    Details about the assignees to assign and unassign.

    Hide assignees attributes Show assignees attributes object
    • add array[string(nonempty)] Required

      A list of users ids to assign.

      Minimum length of each is 1.

    • remove array[string(nonempty)] Required

      A list of users ids to unassign.

      Minimum length of each is 1.

  • ids array[string(nonempty)] Required

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

Responses

  • 200 application/ndjson

    Indicates a successful call.

  • 400

    Invalid request.

POST /api/detection_engine/signals/assignees 
curl \
 --request POST 'https://localhost:5601/api/detection_engine/signals/assignees' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"],"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]}}'
Request examples 
{
  "ids": [
    "681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
  ],
  "assignees": {
    "add": [
      "u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
    ],
    "remove": []
  }
}
{
  "ids": [
    "681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
  ],
  "assignees": {
    "add": [],
    "remove": [
      "u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
    ]
  }
}
Response examples (200) 
{
  "took": "76,",
  "noops": "0,",
  "total": "1,",
  "batches": "1,",
  "deleted": "0,",
  "retries": [
    {
      "bulk": "0,"
    },
    {
      "search": 0
    }
  ],
  "updated": "1,",
  "failures": [],
  "timed_out": "false,",
  "throttled_millis": "0,",
  "version_conflicts": "0,",
  "requests_per_second": "-1,",
  "throttled_until_millis": "0,"
}

Get endpoint exception list items

GET /api/endpoint_list/items/_find
Api key auth Basic auth

Get a list of all endpoint exception list items.

Query parameters

  • filter string(nonempty)

    Filters the returned results according to the value of the specified field, using the <field name>:<field value> syntax.

    Minimum length is 1.

  • page integer

    The page number to return

    Minimum value is 0.

  • per_page integer

    The number of exception list items to return per page

    Minimum value is 0.

  • sort_field string(nonempty)

    Determines which field is used to sort the results

    Minimum length is 1.

  • sort_order string

    Determines the sort order, which can be desc or asc

    Values are desc or asc.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Hide data attributes Show data attributes object
      • _version string

        The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

      • comments array[object] Required

        Array of comment fields:

        • comment (string): Comments about the exception item.
        Hide comments attributes Show comments attributes object
        • comment string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • created_at string(date-time) Required

          Autogenerated date of object creation.

        • created_by string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • id string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • updated_at string(date-time)

          Autogenerated date of last object update.

        • updated_by string(nonempty)

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string Required

        Autogenerated value - user that created object.

      • description string Required

        Describes the exception list.

      • entries array[object] Required
        Any of:
        Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
        Hide attributes Show attributes
        • field string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • operator string Required

          Values are excluded or included.

        • type string Required Discriminator

          Value is match.

        • value string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • expire_time string(date-time)

        The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

      • id string(nonempty) Required

        Exception's identifier.

        Minimum length is 1.

      • item_id string(nonempty) Required

        Human readable string identifier, e.g. trusted-linux-processes

        Minimum length is 1.

      • list_id string(nonempty) Required

        Exception list's human readable string identifier, e.g. trusted-linux-processes.

        Minimum length is 1.

      • meta object

        Additional properties are allowed.

      • name string(nonempty) Required

        Exception list name.

        Minimum length is 1.

      • namespace_type string Required

        Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

        • single: Only available in the Kibana space in which it is created.
        • agnostic: Available in all Kibana spaces.

        Values are agnostic or single.

      • os_types array[string]

        Use this field to specify the operating system.

        Values are linux, macos, or windows.

      • tags array[string(nonempty)]

        String array containing words and phrases to help categorize exception items.

        Minimum length of each is 1.

      • tie_breaker_id string Required

        Field used in search to ensure all containers are sorted and returned correctly.

      • type string Required

        Value is simple.

      • updated_at string(date-time) Required

        Autogenerated date of last object update.

      • updated_by string Required

        Autogenerated value - user that last updated object.

    • page integer Required

      Minimum value is 0.

    • per_page integer Required

      Minimum value is 0.

    • pit string
    • total integer Required

      Minimum value is 0.
  • 400 application/json

    Invalid input data

    One of:
    Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 404 application/json

    Endpoint list not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
GET /api/endpoint_list/items/_find 
curl \
 --request GET 'https://localhost:5601/api/endpoint_list/items/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "_version": "string",
      "comments": [
        {
          "comment": "string",
          "created_at": "2025-05-04T09:42:00Z",
          "created_by": "string",
          "id": "string",
          "updated_at": "2025-05-04T09:42:00Z",
          "updated_by": "string"
        }
      ],
      "created_at": "2025-05-04T09:42:00Z",
      "created_by": "string",
      "description": "string",
      "entries": [
        {
          "field": "string",
          "operator": "excluded",
          "type": "match",
          "value": "string"
        }
      ],
      "expire_time": "2025-05-04T09:42:00Z",
      "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
      "item_id": "simple_list_item",
      "list_id": "simple_list",
      "meta": {},
      "name": "string",
      "namespace_type": "agnostic",
      "os_types": [
        "linux"
      ],
      "tags": [
        "string"
      ],
      "tie_breaker_id": "string",
      "type": "simple",
      "updated_at": "2025-05-04T09:42:00Z",
      "updated_by": "string"
    }
  ],
  "page": 42,
  "per_page": 42,
  "pit": "string",
  "total": 42
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (404) 
{
  "message": "string",
  "status_code": 42
}
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

Scan a file or directory

POST /api/endpoint/action/scan
Api key auth Basic auth

Scan a specific file or directory on an endpoint for malware.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attribute Show parameters attribute object
    • path string Required

      The folder or file’s full path (including the file name).

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/scan 
curl \
 --request POST 'https://localhost:5601/api/endpoint/action/scan' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Scan the file for malware","parameters":{"path":"/usr/my-file.txt"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "Scan the file for malware",
  "parameters": {
    "path": "/usr/my-file.txt"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "27ba1b42-7cc6-4e53-86ce-675c876092b2",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "scan",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2023-07-28T19:00:03.911Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "path": "/usr/my-file.txt"
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Upsert an asset criticality record

POST /api/asset_criticality
Api key auth Basic auth

Create or update an asset criticality record for a specific entity.

If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.

application/json

Body Required

  • id_field string Required

    Values are host.name, user.name, service.name, or entity.id.

  • id_value string Required

    The ID value of the asset.

  • criticality_level string Required

    The criticality level of the asset.

    Values are low_impact, medium_impact, high_impact, or extreme_impact.

  • refresh string

    If 'wait_for' the request will wait for the index refresh.

    Value is wait_for.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object

    The deleted record if it existed.

    • id_field string Required

      Values are host.name, user.name, service.name, or entity.id.

    • id_value string Required

      The ID value of the asset.

    • criticality_level string Required

      The criticality level of the asset.

      Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • asset object Required
      Hide asset attribute Show asset attribute object
      • criticality string

        The criticality level of the asset.

        Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • host object
      Hide host attributes Show host attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • service object
      Hide service attributes Show service attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • user object
      Hide user attributes Show user attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • @timestamp string(date-time) Required

      The time the record was created or updated.
  • 400

    Invalid request

POST /api/asset_criticality 
curl \
 --request POST 'https://localhost:5601/api/asset_criticality' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id_field":"host.name","id_value":"my_host","criticality_level":"high_impact"}'
Request example 
{
  "id_field": "host.name",
  "id_value": "my_host",
  "criticality_level": "high_impact"
}
Response examples (200) 
{
  "host": {
    "name": "my_host",
    "asset": {
      "criticality": "high_impact"
    }
  },
  "asset": {
    "criticality": "high_impact"
  },
  "id_field": "host.name",
  "id_value": "my_host",
  "@timestamp": "2024-08-02T11:15:34.290Z",
  "criticality_level": "high_impact"
}

Apply DataView indices to all installed engines

POST /api/entity_store/engines/apply_dataview_indices
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 207 application/json

    Partial successful response

    Hide response attributes Show response attributes object
  • 500 application/json

    Error response

    Hide response attributes Show response attributes object
POST /api/entity_store/engines/apply_dataview_indices 
curl \
 --request POST 'https://localhost:5601/api/entity_store/engines/apply_dataview_indices' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "result": [
    {
      "changes": {
        "indexPatterns": [
          "string"
        ]
      },
      "type": "string"
    }
  ],
  "success": true
}
Response examples (207) 
{
  "errors": [
    "string"
  ],
  "result": [
    {
      "changes": {
        "indexPatterns": [
          "string"
        ]
      },
      "type": "string"
    }
  ],
  "success": true
}
Response examples (500) 
{
  "body": "string",
  "statusCode": 42.0
}

Get the status of the Entity Store

GET /api/entity_store/status
Api key auth Basic auth

Query parameters

  • include_components boolean

    If true returns a detailed status of the engine including all it's components

Responses

GET /api/entity_store/status 
curl \
 --request GET 'https://localhost:5601/api/entity_store/status' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "engines": [
    {
      "delay": "1m",
      "docsPerSecond": 42,
      "error": {
        "action": "init",
        "message": "string"
      },
      "fieldHistoryLength": 42,
      "filter": "string",
      "frequency": "1m",
      "indexPattern": "string",
      "lookbackPeriod": "24h",
      "status": "installing",
      "timeout": "180s",
      "timestampField": "string",
      "type": "user",
      "components": [
        {
          "errors": [
            {
              "message": "string",
              "title": "string"
            }
          ],
          "health": "green",
          "id": "string",
          "installed": true,
          "metadata": {
            "delete_time_in_ms": 42,
            "documents_deleted": 42,
            "documents_indexed": 42,
            "documents_processed": 42,
            "exponential_avg_checkpoint_duration_ms": 42,
            "exponential_avg_documents_indexed": 42,
            "exponential_avg_documents_processed": 42,
            "index_failures": 42,
            "index_time_in_ms": 42,
            "index_total": 42,
            "pages_processed": 42,
            "processing_time_in_ms": 42,
            "processing_total": 42,
            "search_failures": 42,
            "search_time_in_ms": 42,
            "search_total": 42,
            "trigger_count": 42
          },
          "resource": "entity_engine"
        }
      ]
    }
  ],
  "status": "not_installed"
}

Service level objectives

SLO APIs enable you to define, manage and track service-level objectives

Update a space

PUT /api/spaces/space/{id}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The space identifier. You are unable to change the ID with the update operation.

application/json

Body

  • _reserved boolean
  • color string

    The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.

  • description string

    A description for the space.

  • disabledFeatures array[string]

    The list of features that are turned off in the space.

    Default value is [] (empty).

  • id string Required

    The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.

  • imageUrl string

    The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.

  • initials string

    One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.

    Maximum length is 2.

  • name string Required

    The display name for the space.

    Minimum length is 1.

  • solution string

    Values are security, oblt, es, or classic.

Responses

  • 200

    Indicates a successful call.

PUT /api/spaces/space/{id} 
curl \
 --request PUT 'https://localhost:5601/api/spaces/space/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"id":"marketing","name":"Marketing","color":null,"imageUrl":"","initials":"MK","description":"This is the Marketing Space","disabledFeatures":[]}'
Request example
Update the marketing space to remove the imageUrl. 
{
  "id": "marketing",
  "name": "Marketing",
  "color": null,
  "imageUrl": "",
  "initials": "MK",
  "description": "This is the Marketing Space",
  "disabledFeatures": []
}

Delete a stream Technical Preview

DELETE /api/streams/{name}
Api key auth Basic auth

Deletes a stream definition and the underlying data stream

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

object object

Additional properties are NOT allowed.
DELETE /api/streams/{name} 
curl \
 --request DELETE 'https://localhost:5601/api/streams/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true"
Request examples 
# Headers
kbn-xsrf: true

# Payload
{}

Delete monitors

POST /api/synthetics/monitors/_bulk_delete
Api key auth Basic auth

Delete multiple monitors by sending a list of config IDs.

application/json

Body Required

  • ids array[string] Required

    An array of monitor IDs to delete.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • deleted boolean

      If it is true, the monitor was successfully deleted If it is false, the monitor was not deleted.

    • ids string

      The unique identifier of the deleted monitor.
POST /api/synthetics/monitors/_bulk_delete 
curl \
 --request POST 'https://localhost:5601/api/synthetics/monitors/_bulk_delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"ids\": [\n    \"monitor1-id\",\n    \"monitor2-id\"\n  ]\n}"'
Request example
Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. 
{
  "ids": [
    "monitor1-id",
    "monitor2-id"
  ]
}
Response examples (200)
A response from successfully deleting multiple monitors. 
[
  {
    "id": "monitor1-id",
    "deleted": true
  },
  {
    "id": "monitor2-id",
    "deleted": true
  }
]

Update a monitor

PUT /api/synthetics/monitors/{id}
Api key auth Basic auth

Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. You must have all privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the inline_scipt field of a HTTP monitor.

Path parameters

  • id string Required

    The identifier for the monitor that you want to update.

application/json

Body object Required

The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type.

One of:
Synthetics_browserMonitorFields object Synthetics_httpMonitorFields object Synthetics_icmpMonitorFields object Synthetics_tcpMonitorFields object
  • alert object

    The alert configuration. The default is { status: { enabled: true }, tls: { enabled: true } }.

  • enabled boolean

    Specify whether the monitor is enabled.

    Default value is true.

  • locations array[string]

    The location to deploy the monitor. Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. To list available locations you can:

    • Run the elastic-synthetics locations command with the deployment's Kibana URL.
    • Go to Synthetics > Management and click Create monitor. Locations will be listed in Locations.
  • name string Required

    The monitor name.

  • namespace string

    The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: *, \, /, ?, ", <, >, |, whitespace, ,, #, :, or -.

    Default value is default.

  • params string

    The monitor parameters.

  • private_locations array[string]

    The private locations to which the monitors will be deployed. These private locations refer to locations hosted and managed by you, whereas locations are hosted by Elastic. You can specify a private location using the location's name. To list available private locations you can:

    • Run the elastic-synthetics locations command with the deployment's Kibana URL.
    • Go to Synthetics > Settings and click Private locationsr. Private locations will be listed in the table.


    You can provide locations or private_locations or both. At least one is required.

  • retest_on_failure boolean

    Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using retest_on_failure can reduce noise related to transient problems.

    Default value is true.

  • schedule number

    The monitor's schedule in minutes. Supported values are 1, 3, 5, 10, 15, 30, 60, 120, and 240. The default value is 3 minutes for HTTP, TCP, and ICMP monitors. The default value is 10 minutes for Browser monitors.

  • service.name string

    The APM service name.

  • tags array[string]

    An array of tags.

  • timeout number

    The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time.

    Default value is 16.

  • ignore_https_errors boolean

    Ignore HTTPS errors.

    Default value is false.

  • inline_script string Required

    The inline script.

  • playwright_options object

    Playwright options.

  • screenshots string

    The screenshot option.

    Values are on, off, or only-on-failure. Default value is on.

  • synthetics_args array

    Synthetics agent CLI arguments.

  • type string Required Discriminator

    The monitor type.

    Value is browser.
PUT /api/synthetics/monitors/{id} 
curl \
 --request PUT 'https://localhost:5601/api/synthetics/monitors/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"type\": \"http\",\n  \"name\": \"Website Availability\",\n  \"url\": \"https://example.com\",\n  \"tags\": [\"website\", \"availability\"],\n  \"locations\": [\"united_kingdom\"]\n}"'
Request examples
Update an HTTP monitor that checks a website's availability. 
{
  "type": "http",
  "name": "Website Availability",
  "url": "https://example.com",
  "tags": ["website", "availability"],
  "locations": ["united_kingdom"]
}
Update a TCP monitor that monitors a server's availability. 
{
  "type": "tcp",
  "name": "Server Availability",
  "host": "example.com",
  "private_locations": ["my_private_location"]
}
Update an ICMP monitor that performs ping checks. 
{
  "type": "icmp",
  "name": "Ping Test",
  "host": "example.com",
  "locations": ["united_kingdom"]
}
Update a browser monitor that checks a website. 
{
  "type": "browser",
  "name": "Example journey",
  "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))",
  "locations": ["united_kingdom"]
}

Delete a parameter

DELETE /api/synthetics/params/{id}
Api key auth Basic auth

Delete a parameter from the Synthetics app. You must have all privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.

Path parameters

  • id string Required

    The ID for the parameter to delete.

DELETE /api/synthetics/params/{id} 
curl \
 --request DELETE 'https://localhost:5601/api/synthetics/params/{id}' \
 --header "Authorization: $API_KEY"

Get private locations

GET /api/synthetics/private_locations
Api key auth Basic auth

Get a list of private locations. You must have read privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.

Responses

  • 200 application/json

    A successful response.

    Hide response attributes Show response attributes object
    • agentPolicyId string

      The ID of the agent policy associated with the private location.

    • geo object

      Geographic coordinates (WGS84) for the location.

      Hide geo attributes Show geo attributes object
      • lat number Required

        The latitude of the location.

      • lon number Required

        The longitude of the location.

    • id string

      The unique identifier of the private location.

    • isInvalid boolean

      Indicates whether the location is invalid. If true, the location is invalid, which means the agent policy associated with the location is deleted.

    • label string

      A label for the private location.

    • namespace string

      The namespace of the location, which is the same as the namespace of the agent policy associated with the location.
GET /api/synthetics/private_locations 
curl \
 --request GET 'https://localhost:5601/api/synthetics/private_locations' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
    {
        "label": "Test private location",
        "id": "fleet-server-policy",
        "agentPolicyId": "fleet-server-policy",
        "isInvalid": false,
        "geo": {
            "lat": 0,
            "lon": 0
        },
        "namespace": "default"
    },
    {
        "label": "Test private location 2",
        "id": "691225b0-6ced-11ee-8f5a-376306ee85ae",
        "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae",
        "isInvalid": false,
        "geo": {
            "lat": 0,
            "lon": 0
        },
        "namespace": "test"
    }
]

Create a private location

POST /api/synthetics/private_locations
Api key auth Basic auth

You must have all privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.

application/json

Body Required

  • agentPolicyId string Required

    The ID of the agent policy associated with the private location.

  • geo object

    Geographic coordinates (WGS84) for the location.

    Hide geo attributes Show geo attributes object
    • lat number Required

      The latitude of the location.

    • lon number Required

      The longitude of the location.

  • label string Required

    A label for the private location.

  • spaces array[string]

    An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces.

  • tags array[string]

    An array of tags to categorize the private location.

Responses

  • 200 application/json

    A successful response.
  • 400

    If the agentPolicyId is already used by an existing private location or if the label already exists, the API will return a 400 Bad Request response with a corresponding error message.

POST /api/synthetics/private_locations 
curl \
 --request POST 'https://localhost:5601/api/synthetics/private_locations' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"label\": \"Private Location 1\",\n  \"agentPolicyId\": \"abcd1234\",\n  \"tags\": [\"private\", \"testing\"],\n  \"geo\": {\n    \"lat\": 40.7128,\n    \"lon\": -74.0060\n  }\n  \"spaces\": [\"default\"]\n}"'
Request example
Run `POST /api/private_locations` to create a private location. 
{
  "label": "Private Location 1",
  "agentPolicyId": "abcd1234",
  "tags": ["private", "testing"],
  "geo": {
    "lat": 40.7128,
    "lon": -74.0060
  }
  "spaces": ["default"]
}
Response examples (200) 
{
  "id": "abcd1234",
  "label": "Private Location 1",
  "agentPolicyId": "abcd1234",
  "tags": ["private", "testing"],
  "geo": {
    "lat": 40.7128,
    "lon": -74.0060
  }
}

Delete a private location

DELETE /api/synthetics/private_locations/{id}
Api key auth Basic auth

You must have all privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location.

Path parameters

  • id string Required

    The unique identifier of the private location to be deleted.

    Minimum length is 1, maximum length is 1024.

DELETE /api/synthetics/private_locations/{id} 
curl \
 --request DELETE 'https://localhost:5601/api/synthetics/private_locations/{id}' \
 --header "Authorization: $API_KEY"