Get rule details

GET /api/alerting/rule/{id}
Api key auth Basic auth

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object

      Additional properties are allowed.

    • monitoring object

      Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • total_alerts_created number | null

              Total number of alerts created during last rule run.

            • total_alerts_detected number | null

              Total number of alerts detected during last rule run.

            • total_indexing_duration_ms number | null

              Total time spent indexing documents during last rule run in milliseconds.

            • total_search_duration_ms number | null

              Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • view_in_app_relative_url string | null

      Relative URL to view rule in the app.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id} 
curl \
 --request GET 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "actions": [
    {
      "alerts_filter": {
        "query": {
          "dsl": "string",
          "filters": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {},
              "query": {}
            }
          ],
          "kql": "string"
        },
        "timeframe": {
          "days": [
            1
          ],
          "hours": {
            "end": "string",
            "start": "string"
          },
          "timezone": "string"
        }
      },
      "connector_type_id": "string",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": true,
        "throttle": "string"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "use_alert_data_for_template": true,
      "uuid": "string"
    }
  ],
  "active_snoozes": [
    "string"
  ],
  "alert_delay": {
    "active": 42.0
  },
  "api_key_created_by_user": true,
  "api_key_owner": "string",
  "consumer": "string",
  "created_at": "string",
  "created_by": "string",
  "enabled": true,
  "execution_status": {
    "error": {
      "message": "string",
      "reason": "read"
    },
    "last_duration": 42.0,
    "last_execution_date": "string",
    "status": "ok",
    "warning": {
      "message": "string",
      "reason": "maxExecutableActions"
    }
  },
  "flapping": {
    "look_back_window": 42.0,
    "status_change_threshold": 42.0
  },
  "id": "string",
  "is_snoozed_until": "string",
  "last_run": {
    "alerts_count": {
      "active": 42.0,
      "ignored": 42.0,
      "new": 42.0,
      "recovered": 42.0
    },
    "outcome": "succeeded",
    "outcome_msg": [
      "string"
    ],
    "outcome_order": 42.0,
    "warning": "read"
  },
  "mapped_params": {},
  "monitoring": {
    "run": {
      "calculated_metrics": {
        "p50": 42.0,
        "p95": 42.0,
        "p99": 42.0,
        "success_ratio": 42.0
      },
      "history": [
        {
          "duration": 42.0,
          "outcome": "succeeded",
          "success": true,
          "timestamp": 42.0
        }
      ],
      "last_run": {
        "metrics": {
          "duration": 42.0,
          "gap_duration_s": 42.0,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_alerts_created": 42.0,
          "total_alerts_detected": 42.0,
          "total_indexing_duration_ms": 42.0,
          "total_search_duration_ms": 42.0
        },
        "timestamp": "string"
      }
    }
  },
  "mute_all": true,
  "muted_alert_ids": [
    "string"
  ],
  "name": "string",
  "next_run": "string",
  "notify_when": "onActionGroupChange",
  "params": {},
  "revision": 42.0,
  "rule_type_id": "string",
  "running": true,
  "schedule": {
    "interval": "string"
  },
  "scheduled_task_id": "string",
  "snooze_schedule": [
    {
      "duration": 42.0,
      "id": "string",
      "rRule": {
        "byhour": [
          42.0
        ],
        "byminute": [
          42.0
        ],
        "bymonth": [
          42.0
        ],
        "bymonthday": [
          42.0
        ],
        "bysecond": [
          42.0
        ],
        "bysetpos": [
          42.0
        ],
        "byweekday": [
          "string"
        ],
        "byweekno": [
          42.0
        ],
        "byyearday": [
          42.0
        ],
        "count": 42.0,
        "dtstart": "string",
        "freq": 0,
        "interval": 42.0,
        "tzid": "string",
        "until": "string",
        "wkst": "MO"
      },
      "skipRecurrences": [
        "string"
      ]
    }
  ],
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updated_at": "string",
  "updated_by": "string",
  "view_in_app_relative_url": "string"
}

Mute all alerts

POST /api/alerting/rule/{id}/_mute_all
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_mute_all 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/_mute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Mute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Delete a snooze schedule for a rule

DELETE /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • ruleId string Required

    The identifier for the rule.

  • scheduleId string Required

    The identifier for the snooze schedule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given id does not exist.

DELETE /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId} 
curl \
 --request DELETE 'https://localhost:5601/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Lookup single agent configuration

POST /api/apm/settings/agent-configuration/search
Api key auth Basic auth

This endpoint enables you to search for a single agent configuration and update the 'applied_by_agent' field.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • etag string

    If etags match then applied_by_agent field will be set to true

  • mark_as_applied_by_agent boolean

    markAsAppliedByAgent=true means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags

  • service object Required

    Service

    Hide service attributes Show service attributes object

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _id string

      Identifier

    • _index string

      Index

    • _score number

      Score

    • _source object

      Agent configuration

      Hide _source attributes Show _source attributes object
      • @timestamp number Required

        Timestamp

      • agent_name string

        Agent name

      • applied_by_agent boolean

        Applied by agent

      • etag string Required

        etag is sent by the APM agent to indicate the etag of the last successfully applied configuration. If the etag matches an existing configuration its applied_by_agent property will be set to true. Every time a configuration is edited applied_by_agent is reset to false.

      • service object Required

        Service

        Hide service attributes Show service attributes object
      • settings object Required

        Agent configuration settings

        Hide settings attribute Show settings attribute object
        • * string Additional properties
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/settings/agent-configuration/search 
curl \
 --request POST 'https://localhost:5601/api/apm/settings/agent-configuration/search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '"{\n    \"etag\": \"1e58c178efeebae15c25c539da740d21dee422fc\",\n    \"service\" : {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    }\n}\n"'
Request example
Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. 
{
    "etag": "1e58c178efeebae15c25c539da740d21dee422fc",
    "service" : {
        "name": "frontend",
        "environment": "production"
    }
}
Response examples (200)
An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. 
{
  "_index": ".apm-agent-configuration",
  "_id": "CIaqXXABmQCdPphWj8EJ",
  "_score": 2,
  "_source": {
    "agent_name": "nodejs",
    "service": {
      "name": "frontend"
    },
    "settings": {
      "transaction_sample_rate": "1",
    },
    "@timestamp": 1582031336265,
    "applied_by_agent": false,
    "etag": "5080ed25785b7b19f32713681e79f46996801a5b"
  }
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

APM agent keys

Configure APM agent keys to authorize requests from APM agents to the APM Server.

Save APM server schema

POST /api/apm/fleet/apm_server_schema
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • schema object

    Schema object

    Additional properties are allowed.

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/fleet/apm_server_schema 
curl \
 --request POST 'https://localhost:5601/api/apm/fleet/apm_server_schema' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"schema":{"foo":"bar"}}'
Request examples 
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "schema": {
    "foo": "bar"
  }
}
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

APM sourcemaps

Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur.

Push a case to an external service

POST /api/cases/{caseId}/connector/{connectorId}/_push
Api key auth Basic auth

You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • connectorId string Required

    An identifier for the connector. To retrieve connector IDs, use the find connectors API.

application/json

Body

object | null object | null

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required
      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
      Hide attributes Show attributes

    • connector object Required

      One of:
      Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:
        string-1 string | null boolean-2 boolean

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required
      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required
      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/connector/{connectorId}/_push 
curl \
 --request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/connector/abed3a70-71bd-11ea-a0b2-c51ea50a58e2/_push' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string"
Request examples 
# Headers
kbn-xsrf: string

# Payload
{}
Response examples (200) 
{
  "id": "b917f300-0ed9-11ed-bd18-65557fe66949",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzE3NjgsM10=",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "Low",
      "issueType": "10006"
    }
  },
  "created_at": "2022-07-29T00:59:39.444Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "updated_at": "2022-07-29T01:20:58.436Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "totalComment": 0,
  "external_service": {
    "pushed_at": "2022-07-29T01:20:58.436Z",
    "pushed_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "external_id": "71926",
    "connector_id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "external_url": "https://cases.jira.com",
    "connector_name": "My connector",
    "external_title": "ES-554"
  }
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get CCR Remote synced integrations status by outputId

GET /api/fleet/remote_synced_integrations/{outputId}/remote_status
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.

Responses

GET /api/fleet/remote_synced_integrations/{outputId}/remote_status 
curl \
 --request GET 'https://localhost:5601/api/fleet/remote_synced_integrations/{outputId}/remote_status' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "custom_assets": {
    "additionalProperty1": {
      "name": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "type": "string"
    },
    "additionalProperty2": {
      "name": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "type": "string"
    }
  },
  "error": "string",
  "integrations": [
    {
      "error": "string",
      "id": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "updated_at": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Connectors

Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.

Connector documentation

Delete a connector

DELETE /api/actions/connector/{id}
Api key auth Basic auth

WARNING: When you delete a connector, it cannot be recovered.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

Responses

  • 204

    Indicates a successful call.

DELETE /api/actions/connector/{id} 
curl \
 --request DELETE 'https://localhost:5601/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get a dashboard Technical Preview

GET /api/dashboards/dashboard/{id}
Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Path parameters

  • id string Required

    A unique identifier for the dashboard.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • controlGroupInput object

          Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • autoApplySelections boolean

            Show apply selections button in controls.

            Default value is true.

          • chainingSystem string

            The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • controlConfig object

              Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • enhancements object

            Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • ignoreFilters boolean

              Ignore global filters in controls.

              Default value is false.

            • ignoreQuery boolean

              Ignore the global query bar in controls.

              Default value is false.

            • ignoreTimerange boolean

              Ignore the global time range in controls.

              Default value is false.

            • ignoreValidations boolean

              Ignore validations in controls.

              Default value is false.

          • labelPosition string

            Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • description string

          A short description.

          Default value is empty.

        • kibanaSavedObjectMeta object

          A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • searchSource object

            Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]

              A filter for the search source.

              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • hidePanelTitles boolean

            Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • syncTooltips boolean

            Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • panelRefName string
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • refreshInterval object

          A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • tags array[string]

          An array of tags applied to this dashboard

        • timeFrom string

          An ISO string indicating when to restore time from

        • timeRestore boolean

          Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • createdAt string
      • createdBy string
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • updatedAt string
      • updatedBy string
      • version string
    • meta object Required

      Additional properties are NOT allowed.

      Hide meta attributes Show meta attributes object
GET /api/dashboards/dashboard/{id} 
curl \
 --request GET 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "tags": [
        "string"
      ],
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  },
  "meta": {
    "aliasPurpose": "savedObjectConversion",
    "aliasTargetId": "string",
    "outcome": "exactMatch"
  }
}

Create a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • name string Required

    The name for a runtime field.

  • runtimeField object Required

    The runtime field definition object.

Responses

  • 200 application/json

    Indicates a successful call.
POST /api/data_views/data_view/{viewId}/runtime_field 
curl \
 --request POST 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
Request example 
{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}
Response examples (200) 
{}

Create an agent binary download source

POST /api/fleet/agent_download_sources
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_download_sources 
curl \
 --request POST 'https://localhost:5601/api/fleet/agent_download_sources' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string","secrets":{"ssl":{"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string"}}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "host": "https://example.com",
  "id": "string",
  "is_default": false,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string"
  }
}
Response examples (200) 
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "key": {
          "id": "string"
        }
      }
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string"
    }
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Elastic Agent status

Elastic Agents

Get agents

GET /api/fleet/agents
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

Responses

GET /api/fleet/agents 
curl \
 --request GET 'https://localhost:5601/api/fleet/agents' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "access_api_key": "string",
      "access_api_key_id": "string",
      "active": true,
      "agent": {
        "id": "string",
        "version": "string"
      },
      "audit_unenrolled_reason": "string",
      "components": [
        {
          "id": "string",
          "message": "string",
          "status": "STARTING",
          "type": "string",
          "units": [
            {
              "id": "string",
              "message": "string",
              "payload": {},
              "status": "STARTING",
              "type": "input"
            }
          ]
        }
      ],
      "default_api_key": "string",
      "default_api_key_history": [
        {
          "id": "string",
          "retired_at": "string"
        }
      ],
      "default_api_key_id": "string",
      "enrolled_at": "string",
      "id": "string",
      "last_checkin": "string",
      "last_checkin_message": "string",
      "last_checkin_status": "error",
      "local_metadata": {},
      "metrics": {
        "cpu_avg": 42.0,
        "memory_size_byte_avg": 42.0
      },
      "namespaces": [
        "string"
      ],
      "outputs": {
        "additionalProperty1": {
          "api_key_id": "string",
          "to_retire_api_key_ids": [
            {
              "id": "string",
              "retired_at": "string"
            }
          ],
          "type": "string"
        },
        "additionalProperty2": {
          "api_key_id": "string",
          "to_retire_api_key_ids": [
            {
              "id": "string",
              "retired_at": "string"
            }
          ],
          "type": "string"
        }
      },
      "packages": [
        "string"
      ],
      "policy_id": "string",
      "policy_revision": 42.0,
      "sort": [],
      "status": "offline",
      "tags": [
        "string"
      ],
      "type": "PERMANENT",
      "unenrolled_at": "string",
      "unenrollment_started_at": "string",
      "unhealthy_reason": [
        "input"
      ],
      "upgrade_attempts": [
        "string"
      ],
      "upgrade_details": {
        "action_id": "string",
        "metadata": {
          "download_percent": 42.0,
          "download_rate": 42.0,
          "error_msg": "string",
          "failed_state": "UPG_REQUESTED",
          "retry_error_msg": "string",
          "retry_until": "string",
          "scheduled_at": "string"
        },
        "state": "UPG_REQUESTED",
        "target_version": "string"
      },
      "upgrade_started_at": "string",
      "upgraded_at": "string",
      "user_provided_metadata": {}
    }
  ],
  "nextSearchAfter": "string",
  "page": 42.0,
  "perPage": 42.0,
  "pit": "string",
  "statusSummary": {
    "additionalProperty1": 42.0,
    "additionalProperty2": 42.0
  },
  "total": 42.0
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent

GET /api/fleet/agents/{agentId}
Api key auth Basic auth

Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

Responses

GET /api/fleet/agents/{agentId} 
curl \
 --request GET 'https://localhost:5601/api/fleet/agents/{agentId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "access_api_key": "string",
    "access_api_key_id": "string",
    "active": true,
    "agent": {
      "id": "string",
      "version": "string"
    },
    "audit_unenrolled_reason": "string",
    "components": [
      {
        "id": "string",
        "message": "string",
        "status": "STARTING",
        "type": "string",
        "units": [
          {
            "id": "string",
            "message": "string",
            "payload": {},
            "status": "STARTING",
            "type": "input"
          }
        ]
      }
    ],
    "default_api_key": "string",
    "default_api_key_history": [
      {
        "id": "string",
        "retired_at": "string"
      }
    ],
    "default_api_key_id": "string",
    "enrolled_at": "string",
    "id": "string",
    "last_checkin": "string",
    "last_checkin_message": "string",
    "last_checkin_status": "error",
    "local_metadata": {},
    "metrics": {
      "cpu_avg": 42.0,
      "memory_size_byte_avg": 42.0
    },
    "namespaces": [
      "string"
    ],
    "outputs": {
      "additionalProperty1": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      },
      "additionalProperty2": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      }
    },
    "packages": [
      "string"
    ],
    "policy_id": "string",
    "policy_revision": 42.0,
    "sort": [],
    "status": "offline",
    "tags": [
      "string"
    ],
    "type": "PERMANENT",
    "unenrolled_at": "string",
    "unenrollment_started_at": "string",
    "unhealthy_reason": [
      "input"
    ],
    "upgrade_attempts": [
      "string"
    ],
    "upgrade_details": {
      "action_id": "string",
      "metadata": {
        "download_percent": 42.0,
        "download_rate": 42.0,
        "error_msg": "string",
        "failed_state": "UPG_REQUESTED",
        "retry_error_msg": "string",
        "retry_until": "string",
        "scheduled_at": "string"
      },
      "state": "UPG_REQUESTED",
      "target_version": "string"
    },
    "upgrade_started_at": "string",
    "upgraded_at": "string",
    "user_provided_metadata": {}
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an uploaded file

DELETE /api/fleet/agents/files/{fileId}
Api key auth Basic auth

Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

DELETE /api/fleet/agents/files/{fileId} 
curl \
 --request DELETE 'https://localhost:5601/api/fleet/agents/files/{fileId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"
Response examples (200) 
{
  "deleted": true,
  "id": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get packages

GET /api/fleet/epm/packages
Api key auth Basic auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Responses

GET /api/fleet/epm/packages 
curl \
 --request GET 'https://localhost:5601/api/fleet/epm/packages' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "categories": [
        "string"
      ],
      "conditions": {
        "elastic": {
          "capabilities": [
            "string"
          ],
          "subscription": "string"
        },
        "kibana": {
          "version": "string"
        }
      },
      "data_streams": [
        {}
      ],
      "description": "string",
      "discovery": {
        "fields": [
          {
            "name": "string"
          }
        ]
      },
      "download": "string",
      "format_version": "string",
      "icons": [
        {
          "dark_mode": true,
          "path": "string",
          "size": "string",
          "src": "string",
          "title": "string",
          "type": "string"
        }
      ],
      "id": "string",
      "installationInfo": {
        "additional_spaces_installed_kibana": {
          "additionalProperty1": [
            {
              "id": "string",
              "originId": "string",
              "type": "dashboard"
            }
          ],
          "additionalProperty2": [
            {
              "id": "string",
              "originId": "string",
              "type": "dashboard"
            }
          ]
        },
        "created_at": "string",
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "install_format_schema_version": "string",
        "install_source": "registry",
        "install_status": "installed",
        "installed_es": [
          {
            "deferred": true,
            "id": "string",
            "type": "index",
            "version": "string"
          }
        ],
        "installed_kibana": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "installed_kibana_space_id": "string",
        "latest_executed_state": {
          "error": "string",
          "name": "string",
          "started_at": "string"
        },
        "latest_install_failed_attempts": [
          {
            "created_at": "string",
            "error": {
              "message": "string",
              "name": "string",
              "stack": "string"
            },
            "target_version": "string"
          }
        ],
        "name": "string",
        "namespaces": [
          "string"
        ],
        "type": "string",
        "updated_at": "string",
        "verification_key_id": "string",
        "verification_status": "unverified",
        "version": "string"
      },
      "integration": "string",
      "internal": true,
      "latestVersion": "string",
      "name": "string",
      "owner": {
        "github": "string",
        "type": "elastic"
      },
      "path": "string",
      "policy_templates": [
        {}
      ],
      "readme": "string",
      "release": "ga",
      "signature_path": "string",
      "source": {
        "license": "string"
      },
      "status": "string",
      "title": "string",
      "type": "integration",
      "vars": [
        {}
      ],
      "version": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Install Kibana assets for a package

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Api key auth Basic auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

  • force boolean
  • space_ids array[string]

    When provided install assets in the specified spaces instead of the current space.

    At least 1 element.

Responses

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets 
curl \
 --request POST 'https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"space_ids":["string"]}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "space_ids": [
    "string"
  ]
}
Response examples (200) 
{
  "success": true
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Fleet enrollment API keys

Get an enrollment API key

GET /api/fleet/enrollment_api_keys/{keyId}
Api key auth Basic auth

Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • policy_id string

        The ID of the agent policy the Elastic Agent will be enrolled in.
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys/{keyId} 
curl \
 --request GET 'https://localhost:5601/api/fleet/enrollment_api_keys/{keyId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "active": true,
    "api_key": "string",
    "api_key_id": "string",
    "created_at": "string",
    "id": "string",
    "name": "string",
    "policy_id": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete output

DELETE /api/fleet/outputs/{outputId}
Api key auth Basic auth

Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

DELETE /api/fleet/outputs/{outputId} 
curl \
 --request DELETE 'https://localhost:5601/api/fleet/outputs/{outputId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"
Response examples (200) 
{
  "id": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get the latest output health

GET /api/fleet/outputs/{outputId}/health
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-settings-read.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • message string Required

      long message if unhealthy

    • state string Required

      state of output, HEALTHY or DEGRADED

    • timestamp string Required

      timestamp of reported state
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/outputs/{outputId}/health 
curl \
 --request GET 'https://localhost:5601/api/fleet/outputs/{outputId}/health' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "message": "string",
  "state": "string",
  "timestamp": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package policy

GET /api/fleet/package_policies/{packagePolicyId}
Api key auth Basic auth

Get a package policy by ID.

Query parameters

  • format string

    Values are simplified or legacy.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • additional_datastreams_permissions array[string] | null

        Additional datastream permissions, that will be added to the agent policy.

      • agents number
      • created_at string Required
      • created_by string Required
      • description string

        Package policy description

      • elasticsearch object

        Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • privileges object

          Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required

      • inputs array[object] | object Required

        Any of:
        array-1 array[object] object-2 object
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • keep_enabled boolean
        • policy_template string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • keep_enabled boolean
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • namespace string

        The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required

      • vars object

        Any of:
        object-1 object object-2 object

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 404 application/json
    Hide response attribute Show response attribute object
GET /api/fleet/package_policies/{packagePolicyId} 
curl \
 --request GET 'https://localhost:5601/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "additional_datastreams_permissions": [
      "string"
    ],
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404) 
{
  "message": "string"
}

Fleet Server hosts

Fleet service tokens

Get metadata for latest uninstall tokens

GET /api/fleet/uninstall_tokens
Api key auth Basic auth

List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all.

Query parameters

  • policyId string

    Partial match filtering for policy IDs

    Maximum length is 50.

  • perPage number

    The number of items to return

    Minimum value is 5.

  • page number

    Minimum value is 1.

Responses

GET /api/fleet/uninstall_tokens 
curl \
 --request GET 'https://localhost:5601/api/fleet/uninstall_tokens' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "created_at": "string",
      "id": "string",
      "namespaces": [
        "string"
      ],
      "policy_id": "string",
      "policy_name": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a decrypted uninstall token

GET /api/fleet/uninstall_tokens/{uninstallTokenId}
Api key auth Basic auth

Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all.

Responses

GET /api/fleet/uninstall_tokens/{uninstallTokenId} 
curl \
 --request GET 'https://localhost:5601/api/fleet/uninstall_tokens/{uninstallTokenId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "created_at": "string",
    "id": "string",
    "namespaces": [
      "string"
    ],
    "policy_id": "string",
    "policy_name": "string",
    "token": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Create or update a role

PUT /api/security/role/{name}
Api key auth Basic auth

Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • name string Required

    The role name.

    Minimum length is 1, maximum length is 1024.

Query parameters

  • createOnly boolean

    When true, a role is not overwritten if it already exists.

    Default value is false.

application/json

Body

  • description string

    A description for the role.

    Maximum length is 2048.

  • elasticsearch object Required

    Additional properties are NOT allowed.

    Hide elasticsearch attributes Show elasticsearch attributes object
    • cluster array[string]

      Cluster privileges that define the cluster level actions that users can perform.

    • indices array[object]
      Hide indices attributes Show indices attributes object
      • allow_restricted_indices boolean

        Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.

      • field_security object
        Hide field_security attribute Show field_security attribute object
        • * array[string] Additional properties

          The document fields that the role members have read access to.

      • names array[string] Required

        The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).

        At least 1 element.

      • privileges array[string] Required

        The index level privileges that the role members have for the data streams and indices.

        At least 1 element.

      • query string

        A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

    • remote_cluster array[object]
      Hide remote_cluster attributes Show remote_cluster attributes object
      • clusters array[string] Required

        A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

        At least 1 element.

      • privileges array[string] Required

        The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.

        At least 1 element.

    • remote_indices array[object]
      Hide remote_indices attributes Show remote_indices attributes object
      • allow_restricted_indices boolean

        Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.

      • clusters array[string] Required

        A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

        At least 1 element.

      • field_security object
        Hide field_security attribute Show field_security attribute object
        • * array[string] Additional properties

          The document fields that the role members have read access to.

      • names array[string] Required

        A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).

        At least 1 element.

      • privileges array[string] Required

        The index level privileges that role members have for the specified indices.

        At least 1 element.

      • query string

        A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

    • run_as array[string]

      A user name that the role member can impersonate.

  • kibana array[object]
    Hide kibana attributes Show kibana attributes object
  • metadata object

    Additional properties are allowed.

Responses

  • 204

    Indicates a successful call.

PUT /api/security/role/{name} 
curl \
 --request PUT 'https://localhost:5601/api/security/role/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"kibana":[{"base":[],"spaces":["default"],"feature":{"discover":["all"],"dashboard":["all"]}},{"base":["read"],"spaces":["marketing","sales"]}],"metadata":{"version":1},"description":"Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.","elasticsearch":{"cluster":[],"indices":[]}}'
Request examples
Grant access to various features in some spaces. 
{
  "kibana": [
    {
      "base": [],
      "spaces": [
        "default"
      ],
      "feature": {
        "discover": [
          "all"
        ],
        "dashboard": [
          "all"
        ]
      }
    },
    {
      "base": [
        "read"
      ],
      "spaces": [
        "marketing",
        "sales"
      ]
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.",
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant access to dashboard features in a Marketing space. 
{
  "kibana": [
    {
      "base": [],
      "spaces": [
        "marketing"
      ],
      "feature": {
        "dashboard": [
          "read"
        ]
      }
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant dashboard access in the Marketing space.",
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant full access to all features in the default space. 
{
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant Elasticsearch and Kibana feature privileges. 
{
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space.",
  "elasticsearch": {
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "index1",
          "index2"
        ],
        "privileges": [
          "all"
        ]
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "monitor_enrich"
        ]
      }
    ],
    "remote_indices": [
      {
        "names": [
          "remote_index1",
          "remote_index2"
        ],
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "all"
        ]
      }
    ]
  }
}

Create or update roles

POST /api/security/roles
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • roles object Required
    Hide roles attribute Show roles attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
      • description string

        A description for the role.

        Maximum length is 2048.

      • elasticsearch object Required

        Additional properties are NOT allowed.

        Hide elasticsearch attributes Show elasticsearch attributes object
        • cluster array[string]

          Cluster privileges that define the cluster level actions that users can perform.

        • indices array[object]
          Hide indices attributes Show indices attributes object
          • allow_restricted_indices boolean

            Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.

          • field_security object
            Hide field_security attribute Show field_security attribute object
            • * array[string] Additional properties

              The document fields that the role members have read access to.

          • names array[string] Required

            The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).

            At least 1 element.

          • privileges array[string] Required

            The index level privileges that the role members have for the data streams and indices.

            At least 1 element.

          • query string

            A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

        • remote_cluster array[object]
          Hide remote_cluster attributes Show remote_cluster attributes object
          • clusters array[string] Required

            A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

            At least 1 element.

          • privileges array[string] Required

            The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.

            At least 1 element.

        • remote_indices array[object]
          Hide remote_indices attributes Show remote_indices attributes object
          • allow_restricted_indices boolean

            Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.

          • clusters array[string] Required

            A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

            At least 1 element.

          • field_security object
            Hide field_security attribute Show field_security attribute object
            • * array[string] Additional properties

              The document fields that the role members have read access to.

          • names array[string] Required

            A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).

            At least 1 element.

          • privileges array[string] Required

            The index level privileges that role members have for the specified indices.

            At least 1 element.

          • query string

            A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

        • run_as array[string]

          A user name that the role member can impersonate.

      • kibana array[object]
        Hide kibana attributes Show kibana attributes object
      • metadata object

        Additional properties are allowed.

Responses

  • 200

    Indicates a successful call.

POST /api/security/roles 
curl \
 --request POST 'https://localhost:5601/api/security/roles' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"roles":{"additionalProperty1":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}},"additionalProperty2":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}}}}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "roles": {
    "additionalProperty1": {
      "description": "string",
      "elasticsearch": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "allow_restricted_indices": true,
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "remote_cluster": [
          {
            "clusters": [
              "string"
            ],
            "privileges": [
              "string"
            ]
          }
        ],
        "remote_indices": [
          {
            "allow_restricted_indices": true,
            "clusters": [
              "string"
            ],
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "run_as": [
          "string"
        ]
      },
      "kibana": [
        {
          "base": [],
          "feature": {
            "additionalProperty1": [
              "string"
            ],
            "additionalProperty2": [
              "string"
            ]
          },
          "spaces": [
            "*"
          ]
        }
      ],
      "metadata": {}
    },
    "additionalProperty2": {
      "description": "string",
      "elasticsearch": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "allow_restricted_indices": true,
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "remote_cluster": [
          {
            "clusters": [
              "string"
            ],
            "privileges": [
              "string"
            ]
          }
        ],
        "remote_indices": [
          {
            "allow_restricted_indices": true,
            "clusters": [
              "string"
            ],
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "run_as": [
          "string"
        ]
      },
      "kibana": [
        {
          "base": [],
          "feature": {
            "additionalProperty1": [
              "string"
            ],
            "additionalProperty2": [
              "string"
            ]
          },
          "spaces": [
            "*"
          ]
        }
      ],
      "metadata": {}
    }
  }
}

Security AI assistant

Manage and interact with Security Assistant resources.

Update a conversation

PUT /api/security_ai_assistant/current_user/conversations/{id}
Api key auth Basic auth

Update an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

application/json

Body Required

  • apiConfig object

    LLM API configuration.

    Hide apiConfig attributes Show apiConfig attributes object
  • category string

    The conversation category.

    Values are assistant or insights.

  • excludeFromLastConversationStorage boolean

    excludeFromLastConversationStorage.

  • id string(nonempty) Required

    A string that does not contain only whitespace characters

    Minimum length is 1.

  • messages array[object]

    The conversation messages.

    AI assistant conversation message.

    Hide messages attributes Show messages attributes object
    • content string Required

      Message content.

    • isError boolean

      Is error message.

    • metadata object

      metadata

      Hide metadata attribute Show metadata attribute object
    • reader object

      Message content.

      Additional properties are allowed.

    • role string Required

      Message role.

      Values are system, user, or assistant.

    • timestamp string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • traceData object

      trace Data

      Hide traceData attributes Show traceData attributes object
      • traceId string

        Could be any string, not necessarily a UUID

      • transactionId string

        Could be any string, not necessarily a UUID

  • replacements object

    Replacements object used to anonymize/deanomymize messsages

    Hide replacements attribute Show replacements attribute object
    • * string Additional properties
  • summary object
    Hide summary attributes Show summary attributes object
    • confidence string

      How confident you are about this being a correct and useful learning.

      Values are low, medium, or high.

    • content string

      Summary text of the conversation over time.

    • public boolean

      Define if summary is marked as publicly available.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • title string

    The conversation title.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • apiConfig object

      LLM API configuration.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The time conversation was created.

    • excludeFromLastConversationStorage boolean

      excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • messages array[object]

      The conversation messages.

      AI assistant conversation message.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • traceData object

        trace Data

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • transactionId string

          Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • replacements object

      Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object
      Hide summary attributes Show summary attributes object
      • confidence string

        How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • updatedAt string

      The last time conversation was updated.

    • users array[object] Required

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
PUT /api/security_ai_assistant/current_user/conversations/{id} 
curl \
 --request PUT 'https://localhost:5601/api/security_ai_assistant/current_user/conversations/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"summary":{"confidence":"low","content":"string","public":true,"timestamp":"string"},"title":"string"}'
Request examples 
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "title": "string"
}
Response examples (200) 
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "createdAt": "string",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "namespace": "string",
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "timestamp": "string",
  "title": "string",
  "updatedAt": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a Knowledge Base Entry

POST /api/security_ai_assistant/knowledge_base/entries
Api key auth Basic auth

Create a Knowledge Base Entry

application/json

Body object Required

Any of:
Security_AI_Assistant_API_DocumentEntryCreateFields object Security_AI_Assistant_API_IndexEntryCreateFields object
  • global boolean

    Whether this Knowledge Base Entry is global, defaults to false

  • name string Required

    Name of the Knowledge Base Entry

  • namespace string

    Kibana Space, defaults to 'default' space

  • users array[object]

    Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

    Could be any string, not necessarily a UUID

    Hide users attributes Show users attributes object
  • kbResource string Required

    Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

    Values are security_labs or user.

  • source string Required

    Source document name or filepath

  • text string Required

    Knowledge Base Entry content

  • type string Required Discriminator

    Entry type

    Value is document.

  • required boolean

    Whether this resource should always be included, defaults to false

  • vector object

    Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

    Hide vector attributes Show vector attributes object
    • modelId string Required

      ID of the model used to create the embeddings

    • tokens object Required

      Tokens with their corresponding values

      Hide tokens attribute Show tokens attribute object
      • * number Additional properties

Responses

  • 200 application/json

    Successful request returning Knowledge Base Entries

    Any of:
    Security_AI_Assistant_API_DocumentEntryResponseFields object Security_AI_Assistant_API_IndexEntryResponseFields object
    Hide attributes Show attributes
    • global boolean Required

      Whether this Knowledge Base Entry is global, defaults to false

    • name string Required

      Name of the Knowledge Base Entry

    • namespace string Required

      Kibana Space, defaults to 'default' space

    • users array[object] Required

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
    • createdAt string Required

      Time the Knowledge Base Entry was created

    • createdBy string Required

      User who created the Knowledge Base Entry

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updatedAt string Required

      Time the Knowledge Base Entry was last updated

    • updatedBy string Required

      User who last updated the Knowledge Base Entry

    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

      Values are security_labs or user.

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
POST /api/security_ai_assistant/knowledge_base/entries 
curl \
 --request POST 'https://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"global":true,"name":"string","namespace":"string","users":[{"id":"string","name":"string"}],"kbResource":"security_labs","source":"string","text":"string","type":"document","required":true,"vector":{"modelId":"string","tokens":{"additionalProperty1":42.0,"additionalProperty2":42.0}}}'
Request examples 
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (200) 
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Finds Knowledge Base Entries that match the given query.

GET /api/security_ai_assistant/knowledge_base/entries/_find
Api key auth Basic auth

Finds Knowledge Base Entries that match the given query.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • sort_field string

    Field to sort by

    Values are created_at, is_default, title, or updated_at.

  • sort_order string

    Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Knowledge Base Entries per page

    Minimum value is 0. Default value is 20.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Any of:
      Security_AI_Assistant_API_DocumentEntryResponseFields object Security_AI_Assistant_API_IndexEntryResponseFields object
      Hide attributes Show attributes
      • global boolean Required

        Whether this Knowledge Base Entry is global, defaults to false

      • name string Required

        Name of the Knowledge Base Entry

      • namespace string Required

        Kibana Space, defaults to 'default' space

      • users array[object] Required

        Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

        Could be any string, not necessarily a UUID

        Hide users attributes Show users attributes object
      • createdAt string Required

        Time the Knowledge Base Entry was created

      • createdBy string Required

        User who created the Knowledge Base Entry

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updatedAt string Required

        Time the Knowledge Base Entry was last updated

      • updatedBy string Required

        User who last updated the Knowledge Base Entry

      • kbResource string Required

        Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

        Values are security_labs or user.

      • source string Required

        Source document name or filepath

      • text string Required

        Knowledge Base Entry content

      • type string Required Discriminator

        Entry type

        Value is document.

      • required boolean

        Whether this resource should always be included, defaults to false

      • vector object

        Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

        Hide vector attributes Show vector attributes object
        • modelId string Required

          ID of the model used to create the embeddings

        • tokens object Required

          Tokens with their corresponding values

          Hide tokens attribute Show tokens attribute object
          • * number Additional properties
    • page integer Required
    • perPage integer Required
    • total integer Required
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/knowledge_base/entries/_find 
curl \
 --request GET 'https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "global": true,
      "name": "string",
      "namespace": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ],
      "createdAt": "string",
      "createdBy": "string",
      "id": "string",
      "updatedAt": "string",
      "updatedBy": "string",
      "kbResource": "security_labs",
      "source": "string",
      "text": "string",
      "type": "document",
      "required": true,
      "vector": {
        "modelId": "string",
        "tokens": {
          "additionalProperty1": 42.0,
          "additionalProperty2": 42.0
        }
      }
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get file information

GET /api/endpoint/action/{action_id}/file/{file_id}
Api key auth Basic auth

Get information for the specified file using the file ID.

Path parameters

Responses

  • 200 application/json

    OK
GET /api/endpoint/action/{action_id}/file/{file_id} 
curl \
 --request GET 'https://localhost:5601/api/endpoint/action/{action_id}/file/{file_id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{}

Upload a file

POST /api/endpoint/action/upload
Api key auth Basic auth

Upload a file to an endpoint.

multipart/form-data

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attribute Show parameters attribute object
    • overwrite boolean

      Overwrite the file on the host if it already exists.

      Default value is false.

  • file string(binary) Required

    The binary content of the file.

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/upload 
curl \
 --request POST 'https://localhost:5601/api/endpoint/action/upload' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --form "file=RWxhc3RpYw==" \
 --form 'parameters={}' \
 --form "endpoint_ids[]=ed518850-681a-4d60-bb98-e22640cae2a8"
Request example 
{"file"=>"RWxhc3RpYw==", "parameters"=>{}, "endpoint_ids"=>["ed518850-681a-4d60-bb98-e22640cae2a8"]}
Response examples (200) 
{
  "data": {
    "id": "9ff6aebc-2cb6-481e-8869-9b30036c9731",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "Host-5i6cuc8kdv"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "upload",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "elastic",
    "isExpired": false,
    "startedAt": "2023-07-03T15:07:22.837Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "file_id": "10e4ce3d-4abb-4f93-a0cd-eaf63a489280",
      "file_name": "fix-malware.sh",
      "file_size": 69,
      "file_sha256": "a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a"
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Upsert an asset criticality record

POST /api/asset_criticality
Api key auth Basic auth

Create or update an asset criticality record for a specific entity.

If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.

application/json

Body Required

  • id_field string Required

    Values are host.name, user.name, service.name, or entity.id.

  • id_value string Required

    The ID value of the asset.

  • criticality_level string Required

    The criticality level of the asset.

    Values are low_impact, medium_impact, high_impact, or extreme_impact.

  • refresh string

    If 'wait_for' the request will wait for the index refresh.

    Value is wait_for.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object

    The deleted record if it existed.

    • id_field string Required

      Values are host.name, user.name, service.name, or entity.id.

    • id_value string Required

      The ID value of the asset.

    • criticality_level string Required

      The criticality level of the asset.

      Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • asset object Required
      Hide asset attribute Show asset attribute object
      • criticality string

        The criticality level of the asset.

        Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • host object
      Hide host attributes Show host attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • service object
      Hide service attributes Show service attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • user object
      Hide user attributes Show user attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • @timestamp string(date-time) Required

      The time the record was created or updated.
  • 400

    Invalid request

POST /api/asset_criticality 
curl \
 --request POST 'https://localhost:5601/api/asset_criticality' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id_field":"host.name","id_value":"my_host","criticality_level":"high_impact"}'
Request example 
{
  "id_field": "host.name",
  "id_value": "my_host",
  "criticality_level": "high_impact"
}
Response examples (200) 
{
  "host": {
    "name": "my_host",
    "asset": {
      "criticality": "high_impact"
    }
  },
  "asset": {
    "criticality": "high_impact"
  },
  "id_field": "host.name",
  "id_value": "my_host",
  "@timestamp": "2024-08-02T11:15:34.290Z",
  "criticality_level": "high_impact"
}

Delete the Entity Engine

DELETE /api/entity_store/engines/{entityType}
Api key auth Basic auth

Path parameters

  • entityType string Required

    The entity type of the engine (either 'user' or 'host').

    Values are user, host, service, or generic.

Query parameters

  • data boolean

    Control flag to also delete the entity data.

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
DELETE /api/entity_store/engines/{entityType} 
curl \
 --request DELETE 'https://localhost:5601/api/entity_store/engines/{entityType}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "deleted": true
}