Download a file
Download a file from an endpoint.
curl \
--request GET https://localhost:5601/api/endpoint/action/{action_id}/file/{file_id}/download
{}
The identifier for the rule.
curl \
--request GET https://localhost:5601/api/alerting/rule/{id}
{
"actions": [
{
"alerts_filter": {
"query": {
"dsl": "string",
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {},
"query": {}
}
],
"kql": "string"
},
"timeframe": {
"days": [
1
],
"hours": {
"end": "string",
"start": "string"
},
"timezone": "string"
}
},
"connector_type_id": "string",
"frequency": {
"notify_when": "onActionGroupChange",
"summary": true,
"throttle": "string"
},
"group": "string",
"id": "string",
"params": {},
"use_alert_data_for_template": true,
"uuid": "string"
}
],
"active_snoozes": [
"string"
],
"alert_delay": {
"active": 42.0
},
"api_key_created_by_user": true,
"api_key_owner": "string",
"consumer": "string",
"created_at": "string",
"created_by": "string",
"enabled": true,
"execution_status": {
"error": {
"message": "string",
"reason": "read"
},
"last_duration": 42.0,
"last_execution_date": "string",
"status": "ok",
"warning": {
"message": "string",
"reason": "maxExecutableActions"
}
},
"flapping": {
"look_back_window": 42.0,
"status_change_threshold": 42.0
},
"id": "string",
"is_snoozed_until": "string",
"last_run": {
"alerts_count": {
"active": 42.0,
"ignored": 42.0,
"new": 42.0,
"recovered": 42.0
},
"outcome": "succeeded",
"outcome_msg": [
"string"
],
"outcome_order": 42.0,
"warning": "read"
},
"mapped_params": {},
"monitoring": {
"run": {
"calculated_metrics": {
"p50": 42.0,
"p95": 42.0,
"p99": 42.0,
"success_ratio": 42.0
},
"history": [
{
"duration": 42.0,
"outcome": "succeeded",
"success": true,
"timestamp": 42.0
}
],
"last_run": {
"metrics": {
"duration": 42.0,
"gap_duration_s": 42.0,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_alerts_created": 42.0,
"total_alerts_detected": 42.0,
"total_indexing_duration_ms": 42.0,
"total_search_duration_ms": 42.0
},
"timestamp": "string"
}
}
},
"mute_all": true,
"muted_alert_ids": [
"string"
],
"name": "string",
"next_run": "string",
"notify_when": "onActionGroupChange",
"params": {},
"revision": 42.0,
"rule_type_id": "string",
"running": true,
"schedule": {
"interval": "string"
},
"scheduled_task_id": "string",
"snooze_schedule": [
{
"duration": 42.0,
"id": "string",
"rRule": {
"byhour": [
42.0
],
"byminute": [
42.0
],
"bymonth": [
42.0
],
"bymonthday": [
42.0
],
"bysecond": [
42.0
],
"bysetpos": [
42.0
],
"byweekday": [
"string"
],
"byweekno": [
42.0
],
"byyearday": [
42.0
],
"count": 42.0,
"dtstart": "string",
"freq": 0,
"interval": 42.0,
"tzid": "string",
"until": "string",
"wkst": "MO"
},
"skipRecurrences": [
"string"
]
}
],
"tags": [
"string"
],
"throttle": "string",
"updated_at": "string",
"updated_by": "string",
"view_in_app_relative_url": "string"
}
The identifier for the rule. If it is omitted, an ID is randomly generated.
Default value is []
(empty).
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Additional properties are NOT allowed.
The name of the application or feature that owns the rule. For example: alerts
, apm
, discover
, infrastructure
, logs
, metrics
, ml
, monitoring
, securitySolution
, siem
, stackAlerts
, or uptime
.
Indicates whether you want to run the rule on an interval basis after it is created.
Default value is true
.
When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
Additional properties are NOT allowed.
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
Indicates how often alerts generate actions. Valid values include: onActionGroupChange
: Actions run when the alert status changes; onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
Values are onActionGroupChange
, onActiveAlert
, or onThrottleInterval
.
The rule type identifier.
The check interval, which specifies how frequently the rule conditions are checked.
Additional properties are NOT allowed.
Use the throttle
property in the action frequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
The parameters for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'
{
"name": "my Elasticsearch query ESQL rule",
"params": {
"size": 0,
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"notify_when": "onActiveAlert"
}
}
],
"consumer": "stackAlerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
{
"name": "my Elasticsearch query rule",
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"threshold": [
100
],
"timeField": "@timestamp",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
}
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
{
"name": "my Elasticsearch query KQL rule",
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"rule_type_id": ".es-query"
}
{
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"alert_delay": {
"active": 3
},
"rule_type_id": ".index-threshold"
}
{
"name": "my tracking rule",
"params": {
"index": "kibana_sample_data_logs",
"entity": "agent.keyword",
"indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
"geoField": "geo.coordinates",
"dateField\"": "@timestamp",
"boundaryType": "entireIndex",
"boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
"boundaryGeoField": "location",
"boundaryNameField": "name",
"boundaryIndexTitle": "boundary*"
},
"consumer": "alerts",
"schedule": {
"interval": "1h"
},
"rule_type_id": ".geo-containment"
}
{
"id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"name": "my Elasticsearch query ESQL rule",
"tags": [],
"params": {
"size": 0,
"aggType": "count",
"groupBy": "all",
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun\"": "true,"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActiveAlert"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "stackAlerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-11-01T19:00:10.453Z",
"created_by": "elastic",
"updated_at": "2023-11-01T19:00:10.453Z",
"updated_by": "elastic\",",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-11-01T19:00:10.453Z"
},
"scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"api_key_created_by_user": false
}
{
"id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"name": "my Elasticsearch query rule",
"tags": [],
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"aggType": "count",
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"groupBy": "all",
"threshold": [
100
],
"timeField": "@timestamp",
"searchType": "esQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
},
"connector_type_id": ".server-log"
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-08-22T00:03:38.263Z",
"created_by": "elastic",
"updated_at": "2023-08-22T00:03:38.263Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-08-22T00:03:38.263Z"
},
"scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"api_key_created_by_user": false
}
{
"id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"name": "my Elasticsearch query KQL rule\"",
"tags": [],
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-07-14T20:24:50.729Z",
"created_by": "elastic",
"updated_at": "2023-07-14T20:24:50.729Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-07-14T20:24:50.729Z"
},
"scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"api_key_created_by_user": false
}
{
"id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-06-08T17:20:31.632Z",
"created_by": "elastic",
"updated_at": "2022-06-08T17:20:31.632Z",
"updated_by": "elastic",
"alert_delay": {
"active": 3
},
"notify_when": null,
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2022-06-08T17:20:31.632Z"
},
"scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
"api_key_created_by_user": false
}
{
"id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
"name": "my tracking rule",
"tags": [],
"params": {
"index": "kibana_sample_data_logs",
"entity": "agent.keyword",
"indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
"geoField": "geo.coordinates",
"dateField": "@timestamp",
"boundaryType": "entireIndex",
"boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
"boundaryGeoField": "location",
"boundaryNameField": "name",
"boundaryIndexTitle": "boundary*"
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2024-02-15T03:26:38.033Z",
"revision": 1,
"schedule": {
"interval": "1h"
},
"throttle": null,
"created_at": "2024-02-14T19:52:55.920Z",
"created_by": "elastic",
"updated_at": "2024-02-15T03:24:32.574Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".geo-containment",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 74,
"last_execution_date": "2024-02-15T03:25:38.125Z"
},
"scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
"api_key_created_by_user": false
}
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_enable \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
--header "kbn-xsrf: true"
Retrieve agentName
for a service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
The name of the service
curl \
--request GET https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node \
--header "elastic-api-version: 2023-10-31"
{
"agentName": "nodejs"
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
If etags match then applied_by_agent
field will be set to true
markAsAppliedByAgent=true
means "force setting it to true regardless of etag".
This is needed for Jaeger agent that doesn't have etags
Service
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/apm/settings/agent-configuration/search \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"mark_as_applied_by_agent": true,
"service": {
"environment": "prod",
"name": "node"
}
}
{
"_id": "string",
"_index": "string",
"_score": 42.0,
"_source": {
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
An array containing users that are assigned to the case.
Not more than 10
elements.
A word or phrase that categorizes the case.
Maximum length is 50
.
Defines properties for connectors when type is .none
.
Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
At least 0
but not more than 10
elements.
The description for the case.
Maximum length is 30000
.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
An object that contains the case settings.
Additional properties are allowed.
The severity of the case.
Values are critical
, high
, low
, or medium
. Default value is low
.
A title for the case.
Maximum length is 160
.
curl \
--request POST https://localhost:5601/api/cases \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
{
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
}
]
}
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzUzMiwxXQ==",
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"created_at": "2022-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 0,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Filters the returned cases by assignees. Valid values are none
or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.
Filters the returned cases by category.
he default operator to use for the simple_query_string.
Default value is OR
.
Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
The page number to return.
Default value is 1
.
The number of items to return. Limited to 100 items.
Maximum value is 100
. Default value is 20
.
Filters the returned cases by the user name of the reporter.
An Elasticsearch simple_query_string query that filters the objects in the response.
The fields to perform the simple_query_string parsed query against.
The severity of the case.
Values are critical
, high
, low
, or medium
.
Determines which field is used to sort the results.
Values are createdAt
, updatedAt
, closedAt
, title
, category
, status
, or severity
. Default value is createdAt
.
Determines the sort order.
Values are asc
or desc
. Default value is desc
.
Filters the returned cases by state.
Values are closed
, in-progress
, or open
.
Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.
curl \
--request GET https://localhost:5601/api/cases/_find
{
"page": 1,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title",
"status": "open",
"version": "WzExMCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-12T00:16:36.371Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-12T00:27:58.162Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "Case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
],
"total": 1,
"per_page": 5,
"count_open_cases": 1,
"count_closed_cases": 0,
"count_in_progress_cases": 0
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
The add comment to case API request body varies depending on whether you are adding an alert or a comment.
Defines properties for case comment requests when type is alert.
The alert identifiers. It is required only when type
is alert
. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index
must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The alert indices. It is required only when type
is alert
. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId
array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
The rule that is associated with the alerts. It is required only when type
is alert
. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Additional properties are allowed.
The type of comment.
Value is alert
.
curl \
--request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"type":"user","owner":"cases","comment":"A new comment."}'
{
"type": "user",
"owner": "cases",
"comment": "A new comment."
}
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
curl \
--request GET https://localhost:5601/api/cases/configure
[
{
"id": "856ee650-6c82-11ee-a20a-6164169afa58",
"error": null,
"owner": "cases",
"version": "WzEyLDNd",
"mappings": [],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"settings": {
"syncAlerts": false
},
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Default text field value."
}
]
},
"description": "A description of the template."
}
],
"created_at": "2024-07-01T17:07:17.767Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": null,
"updated_by": null,
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "Custom text field value."
}
]
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Aggregates and returns a list of case tags. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
curl \
--request GET https://localhost:5601/api/cases/tags
[
"observability",
"security",
"tag 1",
"tag 2"
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.
An identifier for the connector.
Test an action that acknowledges or resolves a PagerDuty alert.
curl \
--request POST https://localhost:5601/api/actions/connector/{id}/_execute \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}'
{
"params": {
"documents": [
{
"id": "my_doc_id",
"name": "my_doc_name",
"message": "hello, world"
}
]
}
}
{
"params": {
"subAction": "issueTypes"
}
}
{
"params": {
"subAction": "getChoices",
"subActionParams": {
"fields": [
"severity",
"urgency"
]
}
}
}
{
"params": {
"subAction": "postMessage",
"subActionParams": {
"text": "A test message.",
"channelIds": [
"C123ABC456"
]
}
}
}
{
"params": {
"subAction": "pushToService",
"subActionParams": {
"comments": [
{
"comment": "A comment about the incident.",
"commentId": 1
}
],
"incident": {
"caseId": "1000",
"caseName": "Case name",
"description": "Description of the incident."
}
}
}
}
{
"data": {
"took": 135,
"items": [
{
"create": {
"_id": "4JtvwYUBrcyxt2NnfW3y",
"_index": "my-index",
"result": "created",
"status": 201,
"_seq_no": 0,
"_shards": {
"total": 2,
"failed": 0,
"successful": 1
},
"_version": 1,
"_primary_term": 1
}
}
],
"errors": false
},
"status": "ok",
"connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}
{
"data": [
{
"id": 10024,
"name": "Improvement"
},
{
"id": 10006,
"name": "Task"
},
{
"id": 10007,
"name": "Sub-task"
},
{
"id": 10025,
"name": "New Feature"
},
{
"id": 10023,
"name": "Bug"
},
{
"id": 10000,
"name": "Epic"
}
],
"status": "ok",
"connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}
{
"status": "ok",
"connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}
{
"data": [
{
"label": "Critical",
"value": 1,
"element": "severity",
"dependent_value": ""
},
{
"label": "Major",
"value": 2,
"element": "severity",
"dependent_value": ""
},
{
"label": "Minor",
"value": 3,
"element": "severity",
"dependent_value": ""
},
{
"label": "Warning",
"value": 4,
"element": "severity",
"dependent_value": ""
},
{
"label": "OK",
"value": 5,
"element": "severity",
"dependent_value": ""
},
{
"label": "Clear",
"value": 0,
"element": "severity",
"dependent_value": ""
},
{
"label": "1 - High",
"value": 1,
"element": "urgency",
"dependent_value": ""
},
{
"label": "2 - Medium",
"value": 2,
"element": "urgency",
"dependent_value": ""
},
{
"label": "3 - Low",
"value": 3,
"element": "urgency",
"dependent_value": ""
}
],
"status": "ok",
"connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}
{
"data": {
"ok": true,
"ts": "1234567890.123456",
"channel": "C123ABC456",
"message": {
"ts": "1234567890.123456",
"team": "T01ABCDE2F",
"text": "A test message",
"type": "message",
"user": "U12A345BC6D",
"app_id": "A01BC2D34EF",
"blocks": [
{
"type": "rich_text",
"block_id": "/NXe",
"elements": [
{
"type": "rich_text_section",
"elements": [
{
"text": "A test message.",
"type": "text"
}
]
}
]
}
],
"bot_id": "B12BCDEFGHI",
"bot_profile": {
"id": "B12BCDEFGHI",
"name": "test",
"icons": {
"image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
},
"app_id": "A01BC2D34EF",
"deleted": false,
"team_id": "T01ABCDE2F",
"updated": 1672169705
}
}
},
"status": "ok",
"connector_id": ".slack_api"
}
{
"data": {
"id": "aKPmBHWzmdRQtx6Mx",
"url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
"title": "TEST-457",
"comments": [
{
"commentId": 1,
"pushedDate": "2022-09-08T16:52:27.865Z"
}
],
"pushedDate": "2022-09-08T16:52:27.866Z"
},
"status": "ok",
"connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}
curl \
--request GET https://localhost:5601/api/data_views
{
"data_view": [
{
"id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
"name": "Kibana Sample Data eCommerce",
"title": "kibana_sample_data_ecommerce",
"typeMeta": {},
"namespaces": [
"default"
]
},
{
"id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
"name": "Kibana Sample Data Flights",
"title": "kibana_sample_data_flights",
"namespaces": [
"default"
]
},
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "Kibana Sample Data Logs",
"title": "kibana_sample_data_logs",
"namespaces": [
"default"
]
}
]
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
WARNING: When you delete a data view, it cannot be recovered.
An identifier for the data view.
curl \
--request DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f \
--header "kbn-xsrf: string"
{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}
The ID of the data view fields you want to update.
The name for a runtime field.
The runtime field definition object.
Additional properties are allowed.
curl \
--request PUT https://localhost:5601/api/data_views/data_view/{viewId}/runtime_field \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
{
"name": "runtimeFoo",
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc[\"foo\"].value)"
}
}
}
{
"data_view": {},
"fields": [
{}
]
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
An identifier for the data view.
The name for a runtime field.
The runtime field definition object.
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
{
"name": "runtimeFoo",
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc[\"foo\"].value)"
}
}
}
{}
curl \
--request POST https://localhost:5601/api/data_views/default \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"force":true,"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f"}'
{
"force": true,
"data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
{
"acknowledged": true
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request POST https://localhost:5601/api/fleet/agents/{agentId}/actions \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"action":{"type":"UNENROLL"}}'
# Headers
kbn-xsrf: true
# Payload
{
"action": {
"type": "UNENROLL"
}
}
{
"item": {
"agents": [
"string"
],
"created_at": "string",
"expiration": "string",
"id": "string",
"minimum_execution_duration": 42.0,
"namespaces": [
"string"
],
"rollout_duration_seconds": 42.0,
"sent_at": "string",
"source_uri": "string",
"start_time": "string",
"total": 42.0,
"type": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get a list of outputs associated with agent policies.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].
curl \
--request POST https://localhost:5601/api/fleet/agent_policies/outputs \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"ids":["string"]}'
# Headers
kbn-xsrf: true
# Payload
{
"ids": [
"string"
]
}
{
"items": [
{
"agentPolicyId": "string",
"data": {
"integrations": [
{
"id": "string",
"integrationPolicyName": "string",
"name": "string",
"pkgName": "string"
}
],
"output": {
"id": "string",
"name": "string"
}
},
"monitoring": {
"output": {
"id": "string",
"name": "string"
}
}
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].
curl \
--request GET https://localhost:5601/api/fleet/kubernetes/download
string
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
curl \
--request GET https://localhost:5601/api/fleet/epm/packages
{
"items": [
{
"categories": [
"string"
],
"conditions": {
"elastic": {
"capabilities": [
"string"
],
"subscription": "string"
},
"kibana": {
"version": "string"
}
},
"data_streams": [
{}
],
"description": "string",
"discovery": {
"fields": [
{
"name": "string"
}
]
},
"download": "string",
"format_version": "string",
"icons": [
{
"dark_mode": true,
"path": "string",
"size": "string",
"src": "string",
"title": "string",
"type": "string"
}
],
"id": "string",
"installationInfo": {
"additional_spaces_installed_kibana": {
"additionalProperty1": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
],
"additionalProperty2": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
},
"created_at": "string",
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"install_format_schema_version": "string",
"install_source": "registry",
"install_status": "installed",
"installed_es": [
{
"deferred": true,
"id": "string",
"type": "index",
"version": "string"
}
],
"installed_kibana": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
],
"installed_kibana_space_id": "string",
"latest_executed_state": {
"error": "string",
"name": "string",
"started_at": "string"
},
"latest_install_failed_attempts": [
{
"created_at": "string",
"error": {
"message": "string",
"name": "string",
"stack": "string"
},
"target_version": "string"
}
],
"name": "string",
"namespaces": [
"string"
],
"type": "string",
"updated_at": "string",
"verification_key_id": "string",
"verification_status": "unverified",
"version": "string"
},
"integration": "string",
"internal": true,
"latestVersion": "string",
"name": "string",
"owner": {
"github": "string",
"type": "elastic"
},
"path": "string",
"policy_templates": [
{}
],
"readme": "string",
"release": "ga",
"signature_path": "string",
"source": {
"license": "string"
},
"status": "string",
"title": "string",
"type": "integration",
"vars": [
{}
],
"version": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
curl \
--request POST https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"transforms":[{"transformId":"string"}]}'
# Headers
kbn-xsrf: true
# Payload
{
"transforms": [
{
"transformId": "string"
}
]
}
[
{
"success": true,
"transformId": "string"
}
]
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
curl \
--request GET https://localhost:5601/api/fleet/epm/verification_key_id
{
"id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get output by ID.
[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].
curl \
--request GET https://localhost:5601/api/fleet/outputs/{outputId}
{
"item": {
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": false,
"is_default_monitoring": false,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "elasticsearch"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].
curl \
--request POST https://localhost:5601/api/fleet/package_policies/delete \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"packagePolicyIds":["string"]}'
# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"packagePolicyIds": [
"string"
]
}
[
{
"body": {
"message": "string"
},
"id": "string",
"name": "string",
"output_id": "string",
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"statusCode": 42.0,
"success": true
}
]
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get one decrypted uninstall token by its ID.
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request GET https://localhost:5601/api/fleet/uninstall_tokens/{uninstallTokenId}
{
"item": {
"created_at": "string",
"id": "string",
"namespaces": [
"string"
],
"policy_id": "string",
"policy_name": "string",
"token": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Manage the roles that grant Elasticsearch and Kibana privileges.
Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs.
To manage a specific type of saved object, use the corresponding APIs. For example, use:
Warning: Do not write documents directly to the .kibana
index. When you write directly to the .kibana
index, the data becomes corrupted and permanently breaks future Kibana versions.
Create a Kibana saved object and specify its identifier instead of using a randomly generated ID.
An identifier for the saved object.
Valid options include visualization
, dashboard
, search
, index-pattern
, config
.
If true, overwrites the document with the same identifier.
The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.
Additional properties are allowed.
Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'
), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single'
or namespaceType: 'multiple-isolated'
), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered with
namespaceType: agnostic`), this option cannot be used.
Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'
), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single'
or namespaceType: 'multiple-isolated'
), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered with
namespaceType: agnostic`), this option cannot be used.
curl \
--request POST https://localhost:5601/api/saved_objects/{type}/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"attributes":{},"initialNamespaces":[],"references":[]}'
# Headers
kbn-xsrf: string
# Payload
{
"attributes": {},
"initialNamespaces": [],
"references": []
}
{}
{}
Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.
curl \
--request POST https://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action \
--header "Content-Type: application/json" \
--data '{"create":[{"allowed":true,"anonymized":true,"field":"string"}],"delete":{"ids":["string"],"query":"string"},"update":[{"allowed":true,"anonymized":true,"id":"string"}]}'
{
"create": [
{
"allowed": true,
"anonymized": true,
"field": "string"
}
],
"delete": {
"ids": [
"string"
],
"query": "string"
},
"update": [
{
"allowed": true,
"anonymized": true,
"id": "string"
}
]
}
{
"anonymization_fields_count": 42,
"attributes": {
"errors": [
{
"anonymization_fields": [
{
"id": "string",
"name": "string"
}
],
"err_code": "string",
"message": "string",
"status_code": 42
}
],
"results": {
"created": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
],
"deleted": [
"string"
],
"skipped": [
{
"id": "string",
"name": "string",
"skip_reason": "ANONYMIZATION_FIELD_NOT_MODIFIED"
}
],
"updated": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
]
},
"summary": {
"failed": 42,
"skipped": 42,
"succeeded": 42,
"total": 42
}
},
"message": "string",
"status_code": 42,
"success": true
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Create a model response for the given chat conversation.
curl \
--request POST https://localhost:5601/api/security_ai_assistant/chat/complete \
--header "Content-Type: application/json" \
--data '{"connectorId":"string","conversationId":"string","isStream":true,"langSmithApiKey":"string","langSmithProject":"string","messages":[{"content":"string","data":{},"fields_to_anonymize":["string"],"role":"system"}],"model":"string","persist":true,"promptId":"string","responseLanguage":"string"}'
{
"connectorId": "string",
"conversationId": "string",
"isStream": true,
"langSmithApiKey": "string",
"langSmithProject": "string",
"messages": [
{
"content": "string",
"data": {},
"fields_to_anonymize": [
"string"
],
"role": "system"
}
],
"model": "string",
"persist": true,
"promptId": "string",
"responseLanguage": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Assign users to detection alerts, and unassign them from alerts.
You cannot add and remove the same assignee in the same request.
curl \
--request POST https://localhost:5601/api/detection_engine/signals/assignees \
--header "Content-Type: application/json" \
--data '{"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"],"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]}}'
{
"ids": [
"681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
],
"assignees": {
"add": [
"u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
],
"remove": []
}
}
{
"ids": [
"681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
],
"assignees": {
"add": [],
"remove": [
"u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
]
}
}
{
"took": "76,",
"noops": 0,
"total": "1,",
"batches": "1,",
"deleted": 0,
"retries": [
{
"bulk": 0
},
{
"search": 0
}
],
"updated": "1,",
"failures": [],
"timed_out": "false,",
"throttled_millis": 0,
"version_conflicts": 0,
"requests_per_second": "-1,",
"throttled_until_millis": 0
}
Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, finalize it.
Array of migration_id
s to finalize
Array of migration_id
s to finalize.
At least 1
element.
curl \
--request POST https://localhost:5601/api/detection_engine/signals/finalize_migration \
--header "Content-Type: application/json" \
--data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'
{
"migration_ids": [
"924f7c50-505f-11eb-ae0a-3fa2e626a51d"
]
}
{
"migrations": [
{
"id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
"status": "success",
"updated": "2021-01-06T22:05:56.859Z",
"version": 16,
"completed": true,
"sourceIndex": ".siem-signals-default-000002",
"destinationIndex": ".siem-signals-default-000002-r000016"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Update an endpoint exception list item using the id
or item_id
field.
Exception list item's properties
Array of comment fields:
Describes the exception list.
Exception's identifier.
Minimum length is 1
.
Human readable string identifier, e.g. trusted-linux-processes
Minimum length is 1
.
Additional properties are allowed.
Exception list name.
Minimum length is 1
.
Use this field to specify the operating system.
Values are linux
, macos
, or windows
.
Value is simple
.
curl \
--request PUT https://localhost:5601/api/endpoint_list/items \
--header "Content-Type: application/json" \
--data '{"_version":"string","comments":[{"comment":"string","created_at":"2025-05-04T09:42:00+00:00","created_by":"string","id":"string","updated_at":"2025-05-04T09:42:00+00:00","updated_by":"string"}],"description":"string","entries":[{"field":"string","operator":"excluded","type":"match","value":"string"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","meta":{},"name":"string","os_types":["linux"],"tags":["string"],"type":"simple"}'
{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"meta": {},
"name": "string",
"os_types": [
"linux"
],
"tags": [
"string"
],
"type": "simple"
}
{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"expire_time": "2025-05-04T09:42:00+00:00",
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"list_id": "simple_list",
"meta": {},
"name": "string",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "simple",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}
Download a file from an endpoint.
curl \
--request GET https://localhost:5601/api/endpoint/action/{action_id}/file/{file_id}/download
{}