Delete a role
Path parameters
-
Minimum length is
1
.
curl \
--request DELETE https://localhost:5601/api/security/role/{name} \
--header "kbn-xsrf: true"
https://localhost:5601
The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
You can prepend any Kibana API endpoint with kbn:
and run the request in Dev Tools → Console.
For example:
GET kbn:/api/data_views
For more information about the console, refer to Run API requests.
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
This documentation is derived from the main
branch of the kibana repository.
It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This documentation contains work-in-progress information for future Elastic Stack releases.
This is version 1.0.2
of this API documentation.
Last update on Feb 11, 2025.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
Agent name
Privileges configuration
Values are event:write
or config_agent:read
.
curl \
--request POST https://localhost:5601/api/apm/agent_keys \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"name":"string","privileges":["event:write"]}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"name": "string",
"privileges": [
"event:write"
]
}
{
"agentKey": {
"api_key": "string",
"encoded": "string",
"expiration": 42,
"id": "string",
"name": "string"
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Create a new annotation for a specific service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
The name of the service
curl \
--request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"@timestamp": "string",
"message": "string",
"service": {
"environment": "string",
"version": "string"
},
"tags": [
"string"
]
}
{
"_id": "string",
"_index": "string",
"_source": {
"@timestamp": "string",
"annotation": {
"title": "string",
"type": "string"
},
"event": {
"created": "string"
},
"message": "string",
"service": {
"environment": "string",
"name": "string",
"version": "string"
},
"tags": [
"string"
]
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Returns an array of Fleet artifacts, including source map uploads.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
curl \
--request GET https://localhost:5601/api/apm/sourcemaps \
--header "elastic-api-version: 2023-10-31"
{
"artifacts": [
{
"body": {
"bundleFilepath": "string",
"serviceName": "string",
"serviceVersion": "string",
"sourceMap": {
"file": "string",
"mappings": "string",
"sourceRoot": "string",
"sources": [
"string"
],
"sourcesContent": [
"string"
],
"version": 42.0
}
},
"compressionAlgorithm": "string",
"created": "string",
"decodedSha256": "string",
"decodedSize": 42.0,
"encodedSha256": "string",
"encodedSize": 42.0,
"encryptionAlgorithm": "string",
"id": "string",
"identifier": "string",
"packageName": "string",
"relative_url": "string",
"type": "string"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}
Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors.
An identifier for the connector.
The display name for the connector.
The connector configuration details.
Defines properties for connectors when type is .bedrock
.
Defines secrets for connectors when type is .bedrock
.
curl \
--request PUT https://localhost:5601/api/actions/connector/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"updated-connector","config":{"index":"updated-index"}}'
{
"name": "updated-connector",
"config": {
"index": "updated-index"
}
}
{
"config": {},
"connector_type_id": "string",
"id": "string",
"is_deprecated": true,
"is_missing_secrets": true,
"is_preconfigured": true,
"is_system_action": true,
"name": "string"
}
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request POST https://localhost:5601/api/fleet/agents/{agentId}/unenroll \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"revoke":true}'
# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"revoke": true
}
curl \
--request GET https://localhost:5601/api/fleet/agent_status
{
"results": {
"active": 42.0,
"all": 42.0,
"error": 42.0,
"events": 42.0,
"inactive": 42.0,
"offline": 42.0,
"online": 42.0,
"orphaned": 42.0,
"other": 42.0,
"unenrolled": 42.0,
"uninstalled": 42.0,
"updating": 42.0
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Values are simplified
or legacy
.
curl \
--request GET https://localhost:5601/api/fleet/package_policies/{packagePolicyId}
{
"item": {
"agents": 42.0,
"created_at": "string",
"created_by": "string",
"description": "string",
"elasticsearch": {
"privileges": {
"cluster": [
"string"
]
}
},
"enabled": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"revision": 42.0,
"secret_references": [
{
"id": "string"
}
],
"spaceIds": [
"string"
],
"supports_agentless": false,
"updated_at": "string",
"updated_by": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"message": "string"
}
If true
and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
curl \
--request GET https://localhost:5601/api/security/role
[
{
"name": "my_kibana_role",
"kibana": [
{
"base": [
"all"
],
"spaces": [
"*"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"description": "My kibana role description",
"elasticsearch": {
"run_as": [],
"cluster": [],
"indices": []
},
"transient_metadata": {
"enabled": true
}
},
{
"name": "my_admin_role",
"kibana": [],
"metadata": {
"version": 1
},
"description": "My admin role description",
"elasticsearch": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"query": "{\\\"match\\\": {\\\"title\\\": \\\"foo\\\"}}",
"privileges": [
"all"
],
"field_security": {
"grant": [
"title",
"body"
]
}
}
]
},
"transient_metadata": {
"enabled": true
}
}
]
Minimum length is 1
.
curl \
--request DELETE https://localhost:5601/api/security/role/{name} \
--header "kbn-xsrf: true"
Delete detection rules in bulk.
Indicates a successful call.
Invalid input data response
Unsuccessful authentication response
Internal server error response
curl \
--request DELETE https://localhost:5601/api/detection_engine/rules/_bulk_delete \
--header "Content-Type: application/json" \
--data '[{"id":"string","rule_id":"string"}]'
[
{
"id": "string",
"rule_id": "string"
}
]
[
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
]
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Get a list of all endpoint exception list items.
Filters the returned results according to the value of the specified field,
using the <field name>:<field value>
syntax.
Minimum length is 1
.
The page number to return
Minimum value is 0
.
The number of exception list items to return per page
Minimum value is 0
.
Determines which field is used to sort the results
Minimum length is 1
.
Determines the sort order, which can be desc
or asc
Values are desc
or asc
.
curl \
--request GET https://localhost:5601/api/endpoint_list/items/_find
{
"data": [
{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"expire_time": "2025-05-04T09:42:00+00:00",
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"list_id": "simple_list",
"meta": {},
"name": "string",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "simple",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"page": 42,
"per_page": 42,
"pit": "string",
"total": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}
Download a file from an endpoint.
curl \
--request GET https://localhost:5601/api/endpoint/action/{action_id}/file/{file_id}/download
{}
Get a list of all processes running on an endpoint.
The host agent type (optional). Defaults to endpoint.
Values are endpoint
, sentinel_one
, crowdstrike
, or microsoft_defender_endpoint
.
A list of alerts id
s.
At least 1
element. Minimum length of each is 1
.
Case IDs to be updated (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Optional comment
List of endpoint IDs (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Optional parameters object
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/endpoint/action/running_procs \
--header "Content-Type: application/json" \
--data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{}}'
{
"agent_type": "endpoint",
"alert_ids": [
"string"
],
"case_ids": [
"string"
],
"comment": "string",
"endpoint_ids": [
"string"
],
"parameters": {}
}
{}
Additional properties are allowed.
curl \
--request GET https://localhost:5601/api/osquery/live_queries?query=%7B%7D
{}
The deletion occurs for the specified list of sloId
and instanceId
. You must have all
privileges for the SLOs feature in the Observability section of the Kibana feature privileges.
An identifier for the space. If /s/
and the identifier are omitted from the path, the default space is used.
curl \
--request POST https://localhost:5601/s/default/api/observability/slos/_delete_instances \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"list":[{"instanceId":"8853df00-ae2e-11ed-90af-09bb6422b258","sloId":"8853df00-ae2e-11ed-90af-09bb6422b258"}]}'
# Headers
kbn-xsrf: string
# Payload
{
"list": [
{
"instanceId": "8853df00-ae2e-11ed-90af-09bb6422b258",
"sloId": "8853df00-ae2e-11ed-90af-09bb6422b258"
}
]
}
{
"error": "Bad Request",
"message": "Invalid value 'foo' supplied to: [...]",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
"statusCode": 403
}
You must have the write
privileges for the SLOs feature in the Observability section of the Kibana feature privileges.
An identifier for the space. If /s/
and the identifier are omitted from the path, the default space is used.
An identifier for the slo.
curl \
--request POST https://localhost:5601/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414/enable \
--header "kbn-xsrf: string"
{
"error": "Bad Request",
"message": "Invalid value 'foo' supplied to: [...]",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
"statusCode": 403
}
{
"error": "Not Found",
"message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
"statusCode": 404
}