Get response actions status

Get rule details

GET /api/alerting/rule/{id}

Path parameters

id string Required

The identifier for the rule.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id}

curl \
 --request GET https://localhost:5601/api/alerting/rule/{id}

Response examples (200)

{
  "actions": [
    {
      "alerts_filter": {
        "query": {
          "dsl": "string",
          "filters": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {},
              "query": {}
            }
          ],
          "kql": "string"
        },
        "timeframe": {
          "days": [
            1
          ],
          "hours": {
            "end": "string",
            "start": "string"
          },
          "timezone": "string"
        }
      },
      "connector_type_id": "string",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": true,
        "throttle": "string"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "use_alert_data_for_template": true,
      "uuid": "string"
    }
  ],
  "active_snoozes": [
    "string"
  ],
  "alert_delay": {
    "active": 42.0
  },
  "api_key_created_by_user": true,
  "api_key_owner": "string",
  "consumer": "string",
  "created_at": "string",
  "created_by": "string",
  "enabled": true,
  "execution_status": {
    "error": {
      "message": "string",
      "reason": "read"
    },
    "last_duration": 42.0,
    "last_execution_date": "string",
    "status": "ok",
    "warning": {
      "message": "string",
      "reason": "maxExecutableActions"
    }
  },
  "flapping": {
    "look_back_window": 42.0,
    "status_change_threshold": 42.0
  },
  "id": "string",
  "is_snoozed_until": "string",
  "last_run": {
    "alerts_count": {
      "active": 42.0,
      "ignored": 42.0,
      "new": 42.0,
      "recovered": 42.0
    },
    "outcome": "succeeded",
    "outcome_msg": [
      "string"
    ],
    "outcome_order": 42.0,
    "warning": "read"
  },
  "mapped_params": {},
  "monitoring": {
    "run": {
      "calculated_metrics": {
        "p50": 42.0,
        "p95": 42.0,
        "p99": 42.0,
        "success_ratio": 42.0
      },
      "history": [
        {
          "duration": 42.0,
          "outcome": "succeeded",
          "success": true,
          "timestamp": 42.0
        }
      ],
      "last_run": {
        "metrics": {
          "duration": 42.0,
          "gap_duration_s": 42.0,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_alerts_created": 42.0,
          "total_alerts_detected": 42.0,
          "total_indexing_duration_ms": 42.0,
          "total_search_duration_ms": 42.0
        },
        "timestamp": "string"
      }
    }
  },
  "mute_all": true,
  "muted_alert_ids": [
    "string"
  ],
  "name": "string",
  "next_run": "string",
  "notify_when": "onActionGroupChange",
  "params": {},
  "revision": 42.0,
  "rule_type_id": "string",
  "running": true,
  "schedule": {
    "interval": "string"
  },
  "scheduled_task_id": "string",
  "snooze_schedule": [
    {
      "duration": 42.0,
      "id": "string",
      "rRule": {
        "byhour": [
          42.0
        ],
        "byminute": [
          42.0
        ],
        "bymonth": [
          42.0
        ],
        "bymonthday": [
          42.0
        ],
        "bysecond": [
          42.0
        ],
        "bysetpos": [
          42.0
        ],
        "byweekday": [
          "string"
        ],
        "byweekno": [
          42.0
        ],
        "byyearday": [
          42.0
        ],
        "count": 42.0,
        "dtstart": "string",
        "freq": 0,
        "interval": 42.0,
        "tzid": "string",
        "until": "string",
        "wkst": "MO"
      },
      "skipRecurrences": [
        "string"
      ]
    }
  ],
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updated_at": "string",
  "updated_by": "string",
  "view_in_app_relative_url": "string"
}

Create a rule

POST /api/alerting/rule/{id}

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json

Body

actions array[object]

Default value is [] (empty).
Hide actions attributes Show actions attributes object
- alerts_filter object
  
  Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
  
  Additional properties are NOT allowed.
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
- frequency object
  
  Additional properties are NOT allowed.
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
- id string Required
  
  The identifier for the connector saved object.
- params object
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Default value is {} (empty). Additional properties are allowed.
- use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
- uuid string
  
  A universally unique identifier (UUID) for the action.
alert_delay object

Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

Additional properties are NOT allowed.
Hide alert_delay attribute Show alert_delay attribute object
- active number Required
  
  The number of consecutive runs that must meet the rule conditions.
consumer string Required

The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
enabled boolean

Indicates whether you want to run the rule on an interval basis after it is created.

Default value is true.
flapping object | null

When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

Additional properties are NOT allowed.
Hide flapping attributes Show flapping attributes object | null
- look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
- status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
name string Required

The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when string | null

Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
rule_type_id string Required

The rule type identifier.
schedule object Required

The check interval, which specifies how frequently the rule conditions are checked.

Additional properties are NOT allowed.
Hide schedule attribute Show schedule attribute object
- interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
tags array[string]

The tags for the rule.

Default value is [] (empty).
throttle string | null

Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
params object

The parameters for the rule.
Any of:
params_property_apm_anomaly object params_property_apm_error_count object params_property_apm_transaction_duration object params_property_apm_transaction_error_rate object params_es_query_dsl_rule object params_es_query_esql_rule object params_es_query_kql_rule object params_index_threshold_rule object params_property_infra_inventory object Count object Ratio object params_property_infra_metric_threshold object params_property_slo_burn_rate object params_property_synthetics_uptime_tls object params_property_synthetics_monitor_status object
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

anomalySeverityType string Required

The anomaly threshold value

Values are critical, major, minor, or warning.
Hide attributes Show attributes

serviceName string

The service name from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

threshold number Required

The error count threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.name, or error.grouping_key. Default value is ["service.name", "service.environment"].

errorGroupingKey string
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

transactionName string

The transaction name from APM

windowSize number Required

The window size

windowUnit string Required

ç

Values are m, h, or d.

environment string Required

threshold number Required

The latency threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].

aggregationType string Required

Values are avg, 95th, or 99th.
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

transactionName string

The transaction name from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

threshold number Required

The error rate threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].
An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esQuery string Required

The query definition, which uses Elasticsearch Query DSL.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] | string Required

The indices to query.

One of:
array-1 array[string] string-2 string

searchType string

The type of query, in this case a query that uses Elasticsearch Query DSL.

Value is esQuery. Default value is esQuery.

size integer

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esqlQuery object Required

Additional properties are allowed.

Hide esqlQuery attribute Show esqlQuery attribute object

esql string Required

The query definition, which uses Elasticsearch Query Language.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchType string Required

The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).

Value is esqlQuery.

size integer Required

When searchType is esqlQuery, this property is required but it does not affect the rule behavior.

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. When searchType is esqlQuery, this property is required and must be set to zero.

Minimum value of each is 0, maximum value of each is 0.

thresholdComparator string Required

The comparison function for the threshold. When searchType is esqlQuery, this property is required and must be set to ">". Since the threshold value must be 0, the result is that an alert occurs whenever the query returns results.

Value is >.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchConfiguration object

The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.

Additional properties are allowed.

Hide searchConfiguration attributes Show searchConfiguration attributes object

filter array[object]

Hide filter attributes Show filter attributes object

meta object

Additional properties are allowed.

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

Additional properties are allowed.

type string

value string

query object

Additional properties are allowed.

$state object

Additional properties are allowed.

index string | array[string]

The indices to query.

One of:
string-1 string array-2 array[string]

query object

Additional properties are allowed.

Hide query attributes Show query attributes object

language string

query string

searchType string Required

The type of query, in this case a text-based query that uses KQL or Lucene.

Value is searchSource.

size integer Required

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when rule_type_id is .index-threshold.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

filterKuery string

A KQL expression thats limits the scope of alerts.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] Required

The indices to query.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

metric string

Values are count, cpu, diskLatency, load, memory, memoryTotal, tx, rx, logRate, diskIOReadBytes, diskIOWriteBytes, s3TotalRequests, s3NumberOfObjects, s3BucketSize, s3DownloadBytes, s3UploadBytes, rdsConnections, rdsQueriesExecuted, rdsActiveTransactions, rdsLatency, sqsMessagesVisible, sqsMessagesDelayed, sqsMessagesSent, sqsMessagesEmpty, sqsOldestMessage, or custom.

timeSize number

timeUnit string

Values are s, m, h, or d.

sourceId string

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

customMetric object

Additional properties are allowed.

Hide customMetric attributes Show customMetric attributes object

type string

Value is custom.

field string

aggregation string

Values are avg, max, min, or rate.

id string

label string

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

filterQuery string

filterQueryText string

nodeType string

Values are host, pod, container, awsEC2, awsS3, awsSQS, or awsRDS.

sourceId string

alertOnNoData boolean
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Additional properties are allowed.

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Additional properties are allowed.

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[array]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Additional properties are allowed.

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Additional properties are allowed.

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[object]

One of:
non count criterion object count criterion object custom criterion object

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

metric string

aggType string

Values are avg, max, min, cardinality, rate, count, sum, p95, p99, or custom.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is count.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is custom.

customMetric array[object]

One of:
object-1 object object-2 object

Hide attributes Show attributes

name string

aggType string

Values are avg, sum, max, min, or cardinality.

field string

equation string

label string

groupBy string | array[string]

One of:
string-1 string array-2 array[string]

filterQuery string

sourceId string

alertOnNoData boolean

alertOnGroupDisappear boolean
Hide attributes Show attributes

sloId string

The SLO identifier used by the rule

burnRateThreshold number

The burn rate threshold used to trigger the alert

maxBurnRateThreshold number

The maximum burn rate threshold value defined by the SLO error budget

longWindow object

The duration of the long window used to compute the burn rate

Additional properties are allowed.

Hide longWindow attributes Show longWindow attributes object

value number

The duration value

unit string

The duration unit

shortWindow object

The duration of the short window used to compute the burn rate

Additional properties are allowed.

Hide shortWindow attributes Show shortWindow attributes object

value number

The duration value

unit string

The duration unit
Hide attributes Show attributes

search string

certExpirationThreshold number

certAgeThreshold number
Hide attributes Show attributes

availability object

Additional properties are allowed.

Hide availability attributes Show availability attributes object

range number

rangeUnit string

threshold string

filters string | object

One of:
string-1 string object-2 object Deprecated

locations array[string] Deprecated

numTimes number Required

search string

shouldCheckStatus boolean Required

shouldCheckAvailability boolean Required

timerangeCount number

timerangeUnit string

timerange object Deprecated

Additional properties are allowed.

Hide timerange attributes Show timerange attributes object Deprecated

from string

to string

version number

isAutoGenerated boolean

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
409

Indicates that the rule id is already in use.

POST /api/alerting/rule/{id}

curl \
 --request POST https://localhost:5601/api/alerting/rule/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'

Request examples

Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}

Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.

{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}

Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.

{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}

Response examples (200)

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).

{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).

{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}

The response for successfully creating an index threshold rule.

{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}

The response for successfully creating a tracking containment rule.

{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Disable a rule

POST /api/alerting/rule/{id}/_disable

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

application/json

Body

untrack boolean

Defines whether this rule's alerts should be untracked.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable

curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "untrack": true
}

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

rule_id string Required

The identifier for the rule.
alert_id string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

curl \
 --request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute \
 --header "kbn-xsrf: true"

Get a list of agent configurations

GET /api/apm/settings/agent-configuration

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- configurations array[object]
  
  Agent configuration
  
  Hide configurations attributes Show configurations attributes object
  
  @timestamp number Required
  
  Timestamp
  
  agent_name string
  
  Agent name
  
  applied_by_agent boolean
  
  Applied by agent
  
  etag string Required
  
  Etag
  
  service object Required
  
  Service
  
  Additional properties are allowed.
  
  Hide service attributes Show service attributes object
  
  environment string
  
  Environment
  
  name string
  
  Name
  
  settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration

curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration \
 --header "elastic-api-version: 2023-10-31"

Response examples (200)

{
  "configurations": [
    {
      "@timestamp": 1730194190636,
      "agent_name": "string",
      "applied_by_agent": true,
      "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
      "service": {
        "environment": "prod",
        "name": "node"
      },
      "settings": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      }
    }
  ]
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get agent name for service

GET /api/apm/settings/agent-configuration/agent_name

Retrieve agentName for a service.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

serviceName string Required

The name of the service

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- agentName string
  
  Agent name
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration/agent_name

curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node \
 --header "elastic-api-version: 2023-10-31"

Response examples (200)

{
  "agentName": "nodejs"
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get single agent configuration

GET /api/apm/settings/agent-configuration/view

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

name string

Service name
environment string

Service environment

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- id string Required
- @timestamp number Required
  
  Timestamp
- agent_name string
  
  Agent name
- applied_by_agent boolean
  
  Applied by agent
- etag string Required
  
  Etag
- service object Required
  
  Service
  
  Additional properties are allowed.
  
  Hide service attributes Show service attributes object
  
  environment string
  
  Environment
  
  name string
  
  Name
- settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration/view

curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/view \
 --header "elastic-api-version: 2023-10-31"

Response examples (200)

{
  "id": "string",
  "@timestamp": 1730194190636,
  "agent_name": "string",
  "applied_by_agent": true,
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get source maps

GET /api/apm/sourcemaps

Returns an array of Fleet artifacts, including source map uploads.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

page number

Page number
perPage number

Number of records per page

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- artifacts array[object]
  
  Artifacts
  
  Hide artifacts attributes Show artifacts attributes object
  
  body object
  
  Additional properties are allowed.
  
  Hide body attributes Show body attributes object
  
  bundleFilepath string
  
  serviceName string
  
  serviceVersion string
  
  sourceMap object
  
  Additional properties are allowed.
  
  Hide sourceMap attributes Show sourceMap attributes object
  
  file string
  
  mappings string
  
  sourceRoot string
  
  sources array[string]
  
  sourcesContent array[string]
  
  version number
  
  compressionAlgorithm string
  
  Compression Algorithm
  
  created string
  
  Created date
  
  decodedSha256 string
  
  Decoded SHA-256
  
  decodedSize number
  
  Decoded size
  
  encodedSha256 string
  
  Encoded SHA-256
  
  encodedSize number
  
  Encoded size
  
  encryptionAlgorithm string
  
  Encryption Algorithm
  
  id string
  
  Identifier
  
  identifier string
  
  Identifier
  
  packageName string
  
  Package name
  
  relative_url string
  
  Relative URL
  
  type string
  
  Type
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
501 application/json

Not Implemented response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/sourcemaps

curl \
 --request GET https://localhost:5601/api/apm/sourcemaps \
 --header "elastic-api-version: 2023-10-31"

Response examples (200)

{
  "artifacts": [
    {
      "body": {
        "bundleFilepath": "string",
        "serviceName": "string",
        "serviceVersion": "string",
        "sourceMap": {
          "file": "string",
          "mappings": "string",
          "sourceRoot": "string",
          "sources": [
            "string"
          ],
          "sourcesContent": [
            "string"
          ],
          "version": 42.0
        }
      },
      "compressionAlgorithm": "string",
      "created": "string",
      "decodedSha256": "string",
      "decodedSize": 42.0,
      "encodedSha256": "string",
      "encodedSize": 42.0,
      "encryptionAlgorithm": "string",
      "id": "string",
      "identifier": "string",
      "packageName": "string",
      "relative_url": "string",
      "type": "string"
    }
  ]
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (500)

{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

Response examples (501)

{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Delete source map

DELETE /api/apm/sourcemaps/{id}

Delete a previously uploaded source map.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

Source map identifier

Responses

200 application/json

Successful response

Additional properties are NOT allowed.
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
501 application/json

Not Implemented response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

DELETE /api/apm/sourcemaps/{id}

curl \
 --request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"

Response examples (200)

{}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}

Response examples (500)

{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

Response examples (501)

{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Find case activity

GET /api/cases/{caseId}/user_actions/_find

Retrives a paginated list of user activity for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

page integer

The page number to return.

Default value is 1.
perPage integer

The number of items to return. Limited to 100 items.

Maximum value is 100. Default value is 20.
sortOrder string

Determines the sort order.

Values are asc or desc. Default value is desc.
types array[string]

Determines the types of user actions to return.

Values are action, alert, assignees, attachment, comment, connector, create_case, description, pushed, settings, severity, status, tags, title, or user.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- page integer
- perPage integer
- total integer
- userActions array[object]
  
  Not more than 10000 elements.
  
  Hide userActions attributes Show userActions attributes object
  
  action string Required
  
  Values are add, create, delete, push_to_service, or update.
  
  comment_id string | null Required
  
  created_at string(date-time) Required
  
  created_by object Required
  
  Additional properties are allowed.
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string Required
  
  owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  payload object | null Required
  
  One of:
  Cases_payload_alert_comment object Cases_payload_assignees object Cases_payload_connector object Cases_payload_create_case object Cases_payload_delete object | null Cases_payload_description object Cases_payload_pushed object Cases_payload_settings object Cases_payload_severity object Cases_payload_status object Cases_payload_tags object Cases_payload_title object Cases_payload_user_comment object
  
  Hide attribute Show attribute
  
  comment object
  
  Additional properties are allowed.
  
  Hide comment attributes Show comment attributes object
  
  alertId string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  index string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  rule object
  
  Additional properties are allowed.
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string
  
  Value is alert.
  
  Hide attribute Show attribute
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  Hide attribute Show attribute
  
  connector object
  
  Additional properties are allowed.
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object | null
  
  caseId string
  
  The case identifier for Swimlane connectors.
  
  category string
  
  The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
  
  destIp boolean | null
  
  Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
  
  impact string
  
  The effect an incident had on business for ServiceNow ITSM connectors.
  
  issueType string
  
  The type of issue for Jira connectors.
  
  issueTypes array[string]
  
  The type of incident for IBM Resilient connectors.
  
  malwareHash boolean | null
  
  Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
  
  malwareUrl boolean | null
  
  Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
  
  parent string
  
  The key of the parent issue, when the issue type is sub-task for Jira connectors.
  
  priority string
  
  The priority of the issue for Jira and ServiceNow SecOps connectors.
  
  severity string
  
  The severity of the incident for ServiceNow ITSM connectors.
  
  severityCode string
  
  The severity code of the incident for IBM Resilient connectors.
  
  sourceIp boolean | null
  
  Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
  
  subcategory string
  
  The subcategory of the incident for ServiceNow ITSM connectors.
  
  urgency string
  
  The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
  
  id string
  
  The identifier for the connector. To create a case without a connector, use none.
  
  name string
  
  The name of the connector. To create a case without a connector, use none.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  Hide attributes Show attributes
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  connector object
  
  Additional properties are allowed.
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object | null
  
  caseId string
  
  The case identifier for Swimlane connectors.
  
  category string
  
  The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
  
  destIp boolean | null
  
  Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
  
  impact string
  
  The effect an incident had on business for ServiceNow ITSM connectors.
  
  issueType string
  
  The type of issue for Jira connectors.
  
  issueTypes array[string]
  
  The type of incident for IBM Resilient connectors.
  
  malwareHash boolean | null
  
  Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
  
  malwareUrl boolean | null
  
  Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
  
  parent string
  
  The key of the parent issue, when the issue type is sub-task for Jira connectors.
  
  priority string
  
  The priority of the issue for Jira and ServiceNow SecOps connectors.
  
  severity string
  
  The severity of the incident for ServiceNow ITSM connectors.
  
  severityCode string
  
  The severity code of the incident for IBM Resilient connectors.
  
  sourceIp boolean | null
  
  Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
  
  subcategory string
  
  The subcategory of the incident for ServiceNow ITSM connectors.
  
  urgency string
  
  The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
  
  id string
  
  The identifier for the connector. To create a case without a connector, use none.
  
  name string
  
  The name of the connector. To create a case without a connector, use none.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  description string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  settings object
  
  An object that contains the case settings.
  
  Additional properties are allowed.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  status string
  
  The status of the case.
  
  Values are closed, in-progress, or open.
  
  tags array[string]
  
  title string
  
  Hide attribute Show attribute
  
  externalService object | null
  
  Additional properties are allowed.
  
  Hide externalService attributes Show externalService attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Additional properties are allowed.
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
  
  Hide attribute Show attribute
  
  settings object
  
  An object that contains the case settings.
  
  Additional properties are allowed.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  Hide attribute Show attribute
  
  comment object
  
  Additional properties are allowed.
  
  Hide comment attributes Show comment attributes object
  
  comment string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  type string
  
  Value is user.
  
  type string Required
  
  The type of action.
  
  Values are assignees, create_case, comment, connector, description, pushed, tags, title, status, settings, or severity.
  
  version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/user_actions/_find

curl \
 --request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find

Response examples (200)

{
  "page": 1,
  "total": 3,
  "perPage": 20,
  "userActions": [
    {
      "id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
      "type": "create_case",
      "owner": "cases",
      "action": "create",
      "payload": {
        "tags": [
          "tag 1"
        ],
        "owner": "cases",
        "title": "Case title 1",
        "status": "open",
        "category": null,
        "settings": {
          "syncAlerts": false
        },
        "severity": "low",
        "assignees": [],
        "connector": {
          "id": "none",
          "name": "none",
          "type": ".none",
          "fields": null
        },
        "description": "A case description.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "My field value"
          },
          {
            "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
            "type": "toggle",
            "value": null
          }
        ]
      },
      "version": "WzM1ODg4LDFd",
      "comment_id": null,
      "created_at": "2023-10-20T01:17:22.150Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "57af14a0-03b1-11ed-920c-974bfa104448",
      "type": "comment",
      "owner": "cases",
      "action": "create",
      "payload": {
        "type": "user",
        "owner": "cases",
        "comment": "A new comment"
      },
      "version": "WzM1ODg4LDFa",
      "comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
      "created_at": "2023-10-14T20:12:53.354Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "573c6980-6123-11ed-aa41-81a0a61fe447",
      "type": "assignees",
      "owner": "cases",
      "action": "add",
      "payload": {
        "assignees": {
          "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
        }
      },
      "version": "WzM1ODg4LDFb",
      "comment_id": null,
      "created_at": "2023-10-20T01:10:28.238Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ]
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get cases for an alert Technical preview

GET /api/cases/alerts/{alertId}

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

alertId string Required

An identifier for the alert.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- id string
  
  The case identifier.
- title string
  
  The case title.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/alerts/{alertId}

curl \
 --request GET https://localhost:5601/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540

Response examples (200)

[
  {
    "id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
    "title": "security_case"
  }
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case connectors

GET /api/cases/configure/connectors/_find

Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actionTypeId string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
- config object
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  apiUrl string
  
  projectKey string
- id string
- isDeprecated boolean
- isMissingSecrets boolean
- isPreconfigured boolean
- name string
- referencedByCount integer
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/configure/connectors/_find

curl \
 --request GET https://localhost:5601/api/cases/configure/connectors/_find

Response examples (200)

[
  {
    "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "name": "my-Jira",
    "config": {
      "apiUrl": "https://elastic.atlassian.net/",
      "projectKey": "ES"
    },
    "actionTypeId": ".jira",
    "isDeprecated": false,
    "isPreconfigured": false,
    "isMissingSecrets": false,
    "referencedByCount": 0
  }
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Delete a data view

DELETE /api/data_views/data_view/{viewId}

WARNING: When you delete a data view, it cannot be recovered.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

viewId string Required

An identifier for the data view.

Responses

204

Indicates a successful call.
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

DELETE /api/data_views/data_view/{viewId}

curl \
 --request DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f \
 --header "kbn-xsrf: string"

Response examples (404)

{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Update a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

fieldName string Required

The name of the runtime field.
viewId string Required

An identifier for the data view.

application/json

Body Required

runtimeField object Required
The runtime field definition object.

You can update following fields:
- type
- script
Additional properties are allowed.

Responses

200

Indicates a successful call.
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

curl \
 --request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day \
 --header "Content-Type: application/json" \
 --data '{"runtimeField":{"script":{"source":"emit(doc[\"bar\"].value)"}}}'

Request example

{
  "runtimeField": {
    "script": {
      "source": "emit(doc[\"bar\"].value)"
    }
  }
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Get the default data view

GET /api/data_views/default

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view_id string
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

GET /api/data_views/default

curl \
 --request GET https://localhost:5601/api/data_views/default

Response examples (200)

{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Upgrade an agent

POST /api/fleet/agents/{agentId}/upgrade

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

agentId string Required

application/json

Body

force boolean
skipRateLimitCheck boolean
source_uri string
version string Required

Responses

200 application/json

Additional properties are NOT allowed.
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/agents/{agentId}/upgrade

curl \
 --request POST https://localhost:5601/api/fleet/agents/{agentId}/upgrade \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"skipRateLimitCheck":true,"source_uri":"string","version":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "skipRateLimitCheck": true,
  "source_uri": "string",
  "version": "string"
}

Response examples (200)

{}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent action status

GET /api/fleet/agents/action_status

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

page number

Default value is 0.
perPage number

Default value is 20.
date string
latest number
errorSize number

Default value is 5.

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  actionId string Required
  
  cancellationTime string
  
  completionTime string
  
  creationTime string Required
  
  creation time of action
  
  expiration string
  
  hasRolloutPeriod boolean
  
  latestErrors array[object]
  
  Hide latestErrors attributes Show latestErrors attributes object
  
  agentId string Required
  
  error string Required
  
  hostname string
  
  timestamp string Required
  
  nbAgentsAck number Required
  
  number of agents that acknowledged the action
  
  nbAgentsActionCreated number Required
  
  number of agents included in action from kibana
  
  nbAgentsActioned number Required
  
  number of agents actioned
  
  nbAgentsFailed number Required
  
  number of agents that failed to execute the action
  
  newPolicyId string
  
  new policy id (POLICY_REASSIGN action)
  
  policyId string
  
  policy id (POLICY_CHANGE action)
  
  revision number
  
  new policy revision (POLICY_CHANGE action)
  
  startTime string
  
  start time of action (scheduled actions)
  
  status string Required
  
  Values are COMPLETE, EXPIRED, CANCELLED, FAILED, IN_PROGRESS, or ROLLOUT_PASSED.
  
  type string Required
  
  Values are UPGRADE, UNENROLL, SETTINGS, POLICY_REASSIGN, CANCEL, FORCE_UNENROLL, REQUEST_DIAGNOSTICS, UPDATE_TAGS, POLICY_CHANGE, or INPUT_ACTION.
  
  version string
  
  agent version number (UPGRADE action)
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/agents/action_status

curl \
 --request GET https://localhost:5601/api/fleet/agents/action_status

Response examples (200)

{
  "items": [
    {
      "actionId": "string",
      "cancellationTime": "string",
      "completionTime": "string",
      "creationTime": "string",
      "expiration": "string",
      "hasRolloutPeriod": true,
      "latestErrors": [
        {
          "agentId": "string",
          "error": "string",
          "hostname": "string",
          "timestamp": "string"
        }
      ],
      "nbAgentsAck": 42.0,
      "nbAgentsActionCreated": 42.0,
      "nbAgentsActioned": 42.0,
      "nbAgentsFailed": 42.0,
      "newPolicyId": "string",
      "policyId": "string",
      "revision": 42.0,
      "startTime": "string",
      "status": "COMPLETE",
      "type": "UPGRADE",
      "version": "string"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk reassign agents

POST /api/fleet/agents/bulk_reassign

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

agents array[string] | string Required

Any of:
array-1 array[string] string-2 string
batchSize number
includeInactive boolean

Default value is false.
policy_id string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- actionId string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/agents/bulk_reassign

curl \
 --request POST https://localhost:5601/api/fleet/agents/bulk_reassign \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "includeInactive": false,
  "policy_id": "string"
}

Response examples (200)

{
  "actionId": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create an agent binary download source

POST /api/fleet/agent_download_sources

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

host string(uri) Required
id string
is_default boolean

Default value is false.
name string Required
proxy_id string | null

The ID of the proxy to use for this download source. See the proxies API for more information.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host string(uri) Required
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  The ID of the proxy to use for this download source. See the proxies API for more information.
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/agent_download_sources

curl \
 --request POST https://localhost:5601/api/fleet/agent_download_sources \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "host": "https://example.com",
  "id": "string",
  "is_default": false,
  "name": "string",
  "proxy_id": "string"
}

Response examples (200)

{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a full agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/full

Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].

Path parameters

agentPolicyId string Required

Query parameters

download boolean
standalone boolean
kubernetes boolean

Responses

200 application/json
Hide response attribute Show response attribute object
- item string | object Required
  
  Any of:
  string-1 string object-2 object
  
  Hide attributes Show attributes
  
  agent object
  
  Additional properties are NOT allowed.
  
  Hide agent attributes Show agent attributes object
  
  download object Required
  
  Additional properties are NOT allowed.
  
  Hide download attribute Show download attribute object
  
  sourceURI string Required
  
  features object Required
  
  Hide features attribute Show features attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attribute Show * attribute object
  
  enabled boolean Required
  
  limits object
  
  Additional properties are NOT allowed.
  
  Hide limits attribute Show limits attribute object
  
  go_max_procs number
  
  logging object
  
  Additional properties are NOT allowed.
  
  Hide logging attributes Show logging attributes object
  
  files object
  
  Additional properties are NOT allowed.
  
  Hide files attributes Show files attributes object
  
  interval string
  
  keepfiles number
  
  rotateeverybytes number
  
  level string
  
  to_files boolean
  
  monitoring object Required
  
  Additional properties are NOT allowed.
  
  Hide monitoring attributes Show monitoring attributes object
  
  enabled boolean Required
  
  logs boolean Required
  
  metrics boolean Required
  
  namespace string
  
  traces boolean Required
  
  use_output string
  
  protection object
  
  Additional properties are NOT allowed.
  
  Hide protection attributes Show protection attributes object
  
  enabled boolean Required
  
  signing_key string Required
  
  uninstall_token_hash string Required
  
  fleet object
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  hosts array[string] Required
  
  proxy_url string
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  renegotiation string
  
  verification_mode string
  
  Hide attribute Show attribute
  
  kibana object Required
  
  Additional properties are NOT allowed.
  
  Hide kibana attributes Show kibana attributes object
  
  hosts array[string] Required
  
  path string
  
  protocol string Required
  
  id string Required
  
  inputs array[object] Required
  
  Hide inputs attributes Show inputs attributes object
  
  data_stream object Required
  
  Additional properties are allowed.
  
  Hide data_stream attribute Show data_stream attribute object
  
  namespace string Required
  
  id string Required
  
  meta object
  
  Additional properties are allowed.
  
  Hide meta attribute Show meta attribute object
  
  package object
  
  Additional properties are allowed.
  
  Hide package attributes Show package attributes object
  
  name string Required
  
  version string Required
  
  name string Required
  
  package_policy_id string Required
  
  processors array[object]
  
  Hide processors attribute Show processors attribute object
  
  add_fields object Required
  
  Additional properties are allowed.
  
  Hide add_fields attributes Show add_fields attributes object
  
  fields object Required
  
  target string Required
  
  revision number Required
  
  streams array[object]
  
  Hide streams attributes Show streams attributes object
  
  data_stream object Required
  
  Additional properties are allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  type string
  
  id string Required
  
  type string Required
  
  use_output string Required
  
  namespaces array[string]
  
  output_permissions object
  
  Hide output_permissions attribute Show output_permissions attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  outputs object Required
  
  Hide outputs attribute Show outputs attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  ca_sha256 string | null
  
  hosts array[string]
  
  proxy_url string
  
  type string Required
  
  revision number
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  signed object
  
  Additional properties are NOT allowed.
  
  Hide signed attributes Show signed attributes object
  
  data string Required
  
  signature string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/agent_policies/{agentPolicyId}/full

curl \
 --request GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/full

Response examples (200)

{
  "item": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an agent policy

POST /api/fleet/agent_policies/delete

Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

agentPolicyId string Required
force boolean

bypass validation checks that can prevent agent policy deletion

Responses

200 application/json
Hide response attributes Show response attributes object
- id string Required
- name string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/agent_policies/delete

curl \
 --request POST https://localhost:5601/api/fleet/agent_policies/delete \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agentPolicyId":"string","force":true}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "agentPolicyId": "string",
  "force": true
}

Response examples (200)

{
  "id": "string",
  "name": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agents

GET /api/fleet/agents

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

page number

Default value is 1.
perPage number

Default value is 20.
kuery string
showInactive boolean

Default value is false.
withMetrics boolean

Default value is false.
showUpgradeable boolean

Default value is false.
getStatusSummary boolean

Default value is false.
sortField string
sortOrder string

Values are asc or desc.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  access_api_key string
  
  access_api_key_id string
  
  active boolean Required
  
  agent object
  
  Additional properties are allowed.
  
  Hide agent attributes Show agent attributes object
  
  id string Required
  
  version string Required
  
  audit_unenrolled_reason string
  
  components array[object]
  
  Hide components attributes Show components attributes object
  
  id string Required
  
  message string Required
  
  status string Required
  
  Values are STARTING, CONFIGURING, HEALTHY, DEGRADED, FAILED, STOPPING, or STOPPED.
  
  type string Required
  
  units array[object]
  
  Hide units attributes Show units attributes object
  
  id string Required
  
  message string Required
  
  payload object
  
  Additional properties are allowed.
  
  status string Required
  
  Values are STARTING, CONFIGURING, HEALTHY, DEGRADED, FAILED, STOPPING, or STOPPED.
  
  type string Required
  
  Values are input or output.
  
  default_api_key string
  
  default_api_key_history array[object]
  
  Hide default_api_key_history attributes Show default_api_key_history attributes object Deprecated
  
  id string Required
  
  retired_at string Required
  
  default_api_key_id string
  
  enrolled_at string Required
  
  id string Required
  
  last_checkin string
  
  last_checkin_message string
  
  last_checkin_status string
  
  Values are error, online, degraded, updating, or starting.
  
  local_metadata object Required
  
  Additional properties are allowed.
  
  metrics object
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  cpu_avg number
  
  memory_size_byte_avg number
  
  namespaces array[string]
  
  outputs object
  
  Hide outputs attribute Show outputs attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  api_key_id string Required
  
  to_retire_api_key_ids array[object]
  
  Hide to_retire_api_key_ids attributes Show to_retire_api_key_ids attributes object
  
  id string Required
  
  retired_at string Required
  
  type string Required
  
  packages array[string] Required
  
  policy_id string
  
  policy_revision number | null
  
  sort array[number | string]
  
  status string
  
  Values are offline, error, online, inactive, enrolling, unenrolling, unenrolled, updating, degraded, uninstalled, or orphaned.
  
  tags array[string]
  
  type string Required
  
  Values are PERMANENT, EPHEMERAL, or TEMPORARY.
  
  unenrolled_at string
  
  unenrollment_started_at string
  
  unhealthy_reason array[string] | null
  
  Values are input, output, or other.
  
  upgrade_details object | null
  
  Additional properties are NOT allowed.
  
  Hide upgrade_details attributes Show upgrade_details attributes object | null
  
  action_id string Required
  
  metadata object
  
  Additional properties are NOT allowed.
  
  Hide metadata attributes Show metadata attributes object
  
  download_percent number
  
  download_rate number
  
  error_msg string
  
  failed_state string
  
  Values are UPG_REQUESTED, UPG_SCHEDULED, UPG_DOWNLOADING, UPG_EXTRACTING, UPG_REPLACING, UPG_RESTARTING, UPG_FAILED, UPG_WATCHING, or UPG_ROLLBACK.
  
  retry_error_msg string
  
  retry_until string
  
  scheduled_at string
  
  state string Required
  
  Values are UPG_REQUESTED, UPG_SCHEDULED, UPG_DOWNLOADING, UPG_EXTRACTING, UPG_REPLACING, UPG_RESTARTING, UPG_FAILED, UPG_WATCHING, or UPG_ROLLBACK.
  
  target_version string Required
  
  upgrade_started_at string | null
  
  upgraded_at string | null
  
  user_provided_metadata object
  
  Additional properties are allowed.
- page number Required
- perPage number Required
- statusSummary object
  
  Hide statusSummary attribute Show statusSummary attribute object
  
  * number Additional properties
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/agents

curl \
 --request GET https://localhost:5601/api/fleet/agents

Response examples (200)

{
  "items": [
    {
      "access_api_key": "string",
      "access_api_key_id": "string",
      "active": true,
      "agent": {
        "id": "string",
        "version": "string"
      },
      "audit_unenrolled_reason": "string",
      "components": [
        {
          "id": "string",
          "message": "string",
          "status": "STARTING",
          "type": "string",
          "units": [
            {
              "id": "string",
              "message": "string",
              "payload": {},
              "status": "STARTING",
              "type": "input"
            }
          ]
        }
      ],
      "default_api_key": "string",
      "default_api_key_history": [
        {
          "id": "string",
          "retired_at": "string"
        }
      ],
      "default_api_key_id": "string",
      "enrolled_at": "string",
      "id": "string",
      "last_checkin": "string",
      "last_checkin_message": "string",
      "last_checkin_status": "error",
      "local_metadata": {},
      "metrics": {
        "cpu_avg": 42.0,
        "memory_size_byte_avg": 42.0
      },
      "namespaces": [
        "string"
      ],
      "outputs": {
        "additionalProperty1": {
          "api_key_id": "string",
          "to_retire_api_key_ids": [
            {
              "id": "string",
              "retired_at": "string"
            }
          ],
          "type": "string"
        },
        "additionalProperty2": {
          "api_key_id": "string",
          "to_retire_api_key_ids": [
            {
              "id": "string",
              "retired_at": "string"
            }
          ],
          "type": "string"
        }
      },
      "packages": [
        "string"
      ],
      "policy_id": "string",
      "policy_revision": 42.0,
      "sort": [
        42.0
      ],
      "status": "offline",
      "tags": [
        "string"
      ],
      "type": "PERMANENT",
      "unenrolled_at": "string",
      "unenrollment_started_at": "string",
      "unhealthy_reason": [
        "input"
      ],
      "upgrade_details": {
        "action_id": "string",
        "metadata": {
          "download_percent": 42.0,
          "download_rate": 42.0,
          "error_msg": "string",
          "failed_state": "UPG_REQUESTED",
          "retry_error_msg": "string",
          "retry_until": "string",
          "scheduled_at": "string"
        },
        "state": "UPG_REQUESTED",
        "target_version": "string"
      },
      "upgrade_started_at": "string",
      "upgraded_at": "string",
      "user_provided_metadata": {}
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "statusSummary": {
    "additionalProperty1": 42.0,
    "additionalProperty2": 42.0
  },
  "total": 42.0
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update package settings

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string

application/json

Body

keepPoliciesUpToDate boolean Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  agent object
  
  Additional properties are NOT allowed.
  
  Hide agent attribute Show agent attribute object
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  root boolean
  
  asset_tags array[object]
  
  Hide asset_tags attributes Show asset_tags attributes object
  
  asset_ids array[string]
  
  asset_types array[string]
  
  text string Required
  
  assets object Required
  
  Additional properties are allowed.
  
  categories array[string]
  
  conditions object
  
  Additional properties are allowed.
  
  Hide conditions attributes Show conditions attributes object
  
  elastic object
  
  Additional properties are allowed.
  
  Hide elastic attributes Show elastic attributes object
  
  capabilities array[string]
  
  subscription string
  
  kibana object
  
  Additional properties are allowed.
  
  Hide kibana attribute Show kibana attribute object
  
  version string
  
  data_streams array[object]
  
  Additional properties are allowed.
  
  description string
  
  discovery object
  
  Additional properties are allowed.
  
  Hide discovery attribute Show discovery attribute object
  
  fields array[object]
  
  Hide fields attribute Show fields attribute object
  
  name string Required
  
  download string
  
  elasticsearch object
  
  Additional properties are allowed.
  
  format_version string
  
  icons array[object]
  
  Hide icons attributes Show icons attributes object
  
  dark_mode boolean
  
  path string
  
  size string
  
  src string Required
  
  title string
  
  type string
  
  installationInfo object
  
  Additional properties are allowed.
  
  Hide installationInfo attributes Show installationInfo attributes object
  
  additional_spaces_installed_kibana object
  
  Hide additional_spaces_installed_kibana attribute Show additional_spaces_installed_kibana attribute object
  
  * array[object] Additional properties
  
  Hide * attributes Show * attributes object
  
  id string Required
  
  originId string
  
  type string Required
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  created_at string
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  install_format_schema_version string
  
  install_source string Required
  
  Values are registry, upload, bundled, or custom.
  
  install_status string Required
  
  Values are installed, installing, or install_failed.
  
  installed_es array[object] Required
  
  Hide installed_es attributes Show installed_es attributes object
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
  
  installed_kibana array[object] Required
  
  Hide installed_kibana attributes Show installed_kibana attributes object
  
  id string Required
  
  originId string
  
  type string Required
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  installed_kibana_space_id string
  
  latest_executed_state object
  
  Additional properties are allowed.
  
  Hide latest_executed_state attributes Show latest_executed_state attributes object
  
  error string
  
  name string Required
  
  started_at string Required
  
  latest_install_failed_attempts array[object]
  
  Hide latest_install_failed_attempts attributes Show latest_install_failed_attempts attributes object
  
  created_at string Required
  
  error object Required
  
  Additional properties are allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  name string Required
  
  stack string
  
  target_version string Required
  
  name string Required
  
  namespaces array[string]
  
  type string Required
  
  updated_at string
  
  verification_key_id string | null
  
  verification_status string Required
  
  Values are unverified, verified, or unknown.
  
  version string Required
  
  internal boolean
  
  keepPoliciesUpToDate boolean
  
  latestVersion string
  
  license string
  
  licensePath string
  
  name string Required
  
  notice string
  
  owner object
  
  Additional properties are allowed.
  
  Hide owner attributes Show owner attributes object
  
  github string
  
  type string
  
  Values are elastic, partner, or community.
  
  path string
  
  policy_templates array[object]
  
  Additional properties are allowed.
  
  readme string
  
  release string
  
  Values are ga, beta, or experimental.
  
  screenshots array[object]
  
  Hide screenshots attributes Show screenshots attributes object
  
  dark_mode boolean
  
  path string
  
  size string
  
  src string Required
  
  title string
  
  type string
  
  signature_path string
  
  source object
  
  Additional properties are allowed.
  
  Hide source attribute Show source attribute object
  
  license string Required
  
  status string
  
  title string Required
  
  type string
  
  Values are integration, input, or content.
  
  vars array[object]
  
  Additional properties are allowed.
  
  version string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}

curl \
 --request PUT https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"keepPoliciesUpToDate":true}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "keepPoliciesUpToDate": true
}

Response examples (200)

{
  "item": {
    "agent": {
      "privileges": {
        "root": true
      }
    },
    "asset_tags": [
      {
        "asset_ids": [
          "string"
        ],
        "asset_types": [
          "string"
        ],
        "text": "string"
      }
    ],
    "assets": {},
    "categories": [
      "string"
    ],
    "conditions": {
      "elastic": {
        "capabilities": [
          "string"
        ],
        "subscription": "string"
      },
      "kibana": {
        "version": "string"
      }
    },
    "data_streams": [
      {}
    ],
    "description": "string",
    "discovery": {
      "fields": [
        {
          "name": "string"
        }
      ]
    },
    "download": "string",
    "elasticsearch": {},
    "format_version": "string",
    "icons": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "installationInfo": {
      "additional_spaces_installed_kibana": {
        "additionalProperty1": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "additionalProperty2": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ]
      },
      "created_at": "string",
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "install_format_schema_version": "string",
      "install_source": "registry",
      "install_status": "installed",
      "installed_es": [
        {
          "deferred": true,
          "id": "string",
          "type": "index",
          "version": "string"
        }
      ],
      "installed_kibana": [
        {
          "id": "string",
          "originId": "string",
          "type": "dashboard"
        }
      ],
      "installed_kibana_space_id": "string",
      "latest_executed_state": {
        "error": "string",
        "name": "string",
        "started_at": "string"
      },
      "latest_install_failed_attempts": [
        {
          "created_at": "string",
          "error": {
            "message": "string",
            "name": "string",
            "stack": "string"
          },
          "target_version": "string"
        }
      ],
      "name": "string",
      "namespaces": [
        "string"
      ],
      "type": "string",
      "updated_at": "string",
      "verification_key_id": "string",
      "verification_status": "unverified",
      "version": "string"
    },
    "internal": true,
    "keepPoliciesUpToDate": true,
    "latestVersion": "string",
    "license": "string",
    "licensePath": "string",
    "name": "string",
    "notice": "string",
    "owner": {
      "github": "string",
      "type": "elastic"
    },
    "path": "string",
    "policy_templates": [
      {}
    ],
    "readme": "string",
    "release": "ga",
    "screenshots": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "signature_path": "string",
    "source": {
      "license": "string"
    },
    "status": "string",
    "title": "string",
    "type": "integration",
    "vars": [
      {}
    ],
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Install a package from the registry

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string

Query parameters

prerelease boolean
ignoreMappingUpdateErrors boolean

Default value is false.
skipDataStreamRollover boolean

Default value is false.

application/json

Body

force boolean

Default value is false.
ignore_constraints boolean

Default value is false.

Responses

200 application/json
Hide response attributes Show response attributes object
- _meta object Required
  
  Additional properties are NOT allowed.
  
  Hide _meta attribute Show _meta attribute object
  
  install_source string Required
- items array[object] Required
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  id string Required
  
  originId string
  
  type string Required
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  Hide attributes Show attributes
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}

curl \
 --request POST https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":false,"ignore_constraints":false}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "force": false,
  "ignore_constraints": false
}

Response examples (200)

{
  "_meta": {
    "install_source": "string"
  },
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Generate a Logstash API key

POST /api/fleet/logstash_api_keys

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Responses

200 application/json
Hide response attribute Show response attribute object
- api_key string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/logstash_api_keys

curl \
 --request POST https://localhost:5601/api/fleet/logstash_api_keys \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "api_key": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a package policy

POST /api/fleet/package_policies

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

format string

Values are simplified or legacy.

application/json

Body object

You should use inputs as an object and not use the deprecated inputs array.

description string

Package policy description
enabled boolean
force boolean

Force package policy creation even if package is not verified, or if the agent policy is managed.
id string

Package policy unique identifier
inputs array[object] Required
Hide inputs attributes Show inputs attributes object
- config object
  
  Package variable (see integration documentation for more information)
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
- enabled boolean Required
- id string
- keep_enabled boolean
- policy_template string
- streams array[object]
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
- type string Required
- vars object
  
  Package variable (see integration documentation for more information)
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
is_managed boolean
name string Required

Package policy name (should be unique)
namespace string

The package policy namespace. Leave blank to inherit the agent policy's namespace.
output_id string | null
overrides object | null

Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

Additional properties are NOT allowed.
Hide overrides attribute Show overrides attribute object | null
- inputs object
  
  Additional properties are allowed.
package object

Additional properties are NOT allowed.
Hide package attributes Show package attributes object
- experimental_data_stream_features array[object]
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
- name string Required
  
  Package name
- requires_root boolean
- title string
- version string Required
  
  Package version
policy_id string | null Deprecated

Agent policy ID where that package policy will be added
policy_ids array[string]

Agent policy IDs where that package policy will be added
supports_agentless boolean | null

Indicates whether the package policy belongs to an agentless agent policy.

Default value is false.
vars object

Package variable (see integration documentation for more information)
Hide vars attribute Show vars attribute object
- * object Additional properties
  
  Additional properties are NOT allowed.
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string

description string
force boolean
id string
inputs object

Package policy inputs (see integration documentation to know what inputs are available)
Hide inputs attribute Show inputs attribute object
- * object Additional properties
  
  Additional properties are NOT allowed.
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
name string Required
namespace string
output_id string | null
package object Required

Additional properties are NOT allowed.
Hide package attributes Show package attributes object
- experimental_data_stream_features array[object]
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
- name string Required
  
  Package name
- requires_root boolean
- title string
- version string Required
  
  Package version
policy_id string | null
policy_ids array[string]
supports_agentless boolean | null

Indicates whether the package policy belongs to an agentless agent policy.

Default value is false.
vars object

Input/stream level variable (see integration documentation for more information)

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number
409 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/package_policies

curl \
 --request POST https://localhost:5601/api/fleet/package_policies \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","enabled":true,"force":true,"id":"string","inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "enabled": true,
  "force": true,
  "id": "string",
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  }
}

# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}

Response examples (200)

{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Response examples (409)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package policy

GET /api/fleet/package_policies/{packagePolicyId}

Get a package policy by ID.

Path parameters

packagePolicyId string Required

Query parameters

format string

Values are simplified or legacy.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number
404 application/json
Hide response attribute Show response attribute object
- message string Required

GET /api/fleet/package_policies/{packagePolicyId}

curl \
 --request GET https://localhost:5601/api/fleet/package_policies/{packagePolicyId}

Response examples (200)

{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Response examples (404)

{
  "message": "string"
}

Update a proxy

PUT /api/fleet/proxies/{itemId}

Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

itemId string Required

application/json

Body

certificate string | null Required
certificate_authorities string | null Required
certificate_key string | null Required
name string
proxy_headers object | null Required
url string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  certificate string | null
  
  certificate_authorities string | null
  
  certificate_key string | null
  
  id string Required
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_headers object | null
  
  url string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

PUT /api/fleet/proxies/{itemId}

curl \
 --request PUT https://localhost:5601/api/fleet/proxies/{itemId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","name":"string","proxy_headers":{},"url":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "certificate": "string",
  "certificate_authorities": "string",
  "certificate_key": "string",
  "name": "string",
  "proxy_headers": {},
  "url": "string"
}

Response examples (200)

{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a Fleet Server host

GET /api/fleet/fleet_server_hosts/{itemId}

Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Path parameters

itemId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host_urls array[string] Required
  
  At least 1 element.
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/fleet_server_hosts/{itemId}

curl \
 --request GET https://localhost:5601/api/fleet/fleet_server_hosts/{itemId}

Response examples (200)

{
  "item": {
    "host_urls": [
      "string"
    ],
    "id": "string",
    "is_default": false,
    "is_internal": true,
    "is_preconfigured": false,
    "name": "string",
    "proxy_id": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a service token

POST /api/fleet/service_tokens

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

remote boolean

Default value is false.

Responses

200 application/json
Hide response attributes Show response attributes object
- name string Required
- value string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/service_tokens

curl \
 --request POST https://localhost:5601/api/fleet/service_tokens \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"remote":false}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "remote": false
}

Response examples (200)

{
  "name": "string",
  "value": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a role

GET /api/security/role/{name}

Path parameters

name string Required

The role name.

Minimum length is 1.

Query parameters

replaceDeprecatedPrivileges boolean

If true and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.

Responses

200 application/json

Indicates a successful call.

GET /api/security/role/{name}

curl \
 --request GET https://localhost:5601/api/security/role/{name}

Response examples (200)

{
  "name": "my_kibana_role",
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.",
  "elasticsearch": {
    "run_as": [],
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "index1",
          "index2"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": false
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "monitor_enrich"
        ]
      }
    ],
    "remote_indices": [
      {
        "names": [
          "remote_index1",
          "remote_index2"
        ],
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": false
      }
    ]
  },
  "_transform_error": [],
  "transient_metadata": {
    "enabled": true
  },
  "_unrecognized_applications": []
}

Update a saved object Deprecated

PUT /api/saved_objects/{type}/{id}

Update the attributes for Kibana saved objects.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

id string Required

An identifier for the saved object.
type string Required

Valid options include visualization, dashboard, search, index-pattern, config.

application/json

Body Required

object object

Additional properties are allowed.

Responses

200 application/json

Indicates a successful call.

Additional properties are allowed.
404 application/json

Indicates the object was not found.

Additional properties are allowed.
409 application/json

Indicates a conflict error.

Additional properties are allowed.

PUT /api/saved_objects/{type}/{id}

curl \
 --request PUT https://localhost:5601/api/saved_objects/{type}/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string"

Request examples

# Headers
kbn-xsrf: string

# Payload
{}

Response examples (200)

{}

Response examples (404)

{}

Response examples (409)

{}

Get prompts

GET /api/security_ai_assistant/prompts/_find

Get a list of all prompts.

Query parameters

fields array[string]
filter string

Search query
sort_field string

Field to sort by

Values are created_at, is_default, name, or updated_at.
sort_order string

Sort order

Values are asc or desc.
page integer

Page number

Minimum value is 1. Default value is 1.
per_page integer

Prompts per page

Minimum value is 0. Default value is 20.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  categories array[string]
  
  color string
  
  consumer string
  
  content string Required
  
  createdAt string
  
  createdBy string
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  isDefault boolean
  
  isNewConversationDefault boolean
  
  name string Required
  
  namespace string
  
  Kibana space
  
  promptType string Required
  
  Prompt type
  
  Values are system or quick.
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updatedAt string
  
  updatedBy string
  
  users array[object]
  
  Hide users attributes Show users attributes object
  
  id string
  
  User id
  
  name string
  
  User name
- page integer Required
- perPage integer Required
- total integer Required
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

GET /api/security_ai_assistant/prompts/_find

curl \
 --request GET https://localhost:5601/api/security_ai_assistant/prompts/_find

Response examples (200)

{
  "data": [
    {
      "categories": [
        "string"
      ],
      "color": "string",
      "consumer": "string",
      "content": "string",
      "createdAt": "string",
      "createdBy": "string",
      "id": "string",
      "isDefault": true,
      "isNewConversationDefault": true,
      "name": "string",
      "namespace": "string",
      "promptType": "system",
      "timestamp": "string",
      "updatedAt": "string",
      "updatedBy": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ]
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

List all detection rules

GET /api/detection_engine/rules/_find

Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.

Query parameters

fields array[string]
filter string

Search query
sort_field string

Field to sort by

Values are created_at, createdAt, enabled, execution_summary.last_execution.date, execution_summary.last_execution.metrics.execution_gap_duration_s, execution_summary.last_execution.metrics.total_indexing_duration_ms, execution_summary.last_execution.metrics.total_search_duration_ms, execution_summary.last_execution.status, name, risk_score, riskScore, severity, updated_at, or updatedAt.
sort_order string

Sort order

Values are asc or desc.
page integer

Page number

Minimum value is 1. Default value is 1.
per_page integer

Rules per page

Minimum value is 0. Default value is 20.
gaps_range_start string

Gaps range start
gaps_range_end string

Gaps range end

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- data array[object] Required
  
  Any of:
  Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object
  
  Hide attributes Show attributes
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  action_type_id string Required
  
  The action type used for sending notifications.
  
  alerts_filter object
  
  Additional properties are allowed.
  
  frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
  
  id string Required
  
  The connector ID.
  
  params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
  
  uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  alias_target_id string
  
  author array[string] Required
  
  building_block_type string
  
  Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
  
  description string Required
  
  Minimum length is 1.
  
  enabled boolean Required
  
  Determines whether the rule is enabled.
  
  exceptions_list array[object] Required
  
  Hide exceptions_list attributes Show exceptions_list attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
  
  type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  false_positives array[string] Required
  
  from string(date-math) Required
  
  Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
  
  interval string Required
  
  Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
  
  investigation_fields object
  
  Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
  
  const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
  
  Additional properties are allowed.
  
  Hide investigation_fields attribute Show investigation_fields attribute object
  
  field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  license string
  
  The rule's license.
  
  max_signals integer Required
  
  Minimum value is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string Required
  
  Minimum length is 1.
  
  namespace string
  
  Has no effect.
  
  note string
  
  Notes to help investigate alerts produced by the rule.
  
  outcome string
  
  Values are exactMatch, aliasMatch, or conflict.
  
  output_index string Deprecated
  
  (deprecated) Has no effect.
  
  references array[string] Required
  
  related_integrations array[object] Required
  
  Hide related_integrations attributes Show related_integrations attributes object
  
  integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  required_fields array[object] Required
  
  Hide required_fields attributes Show required_fields attributes object
  
  ecs boolean Required
  
  Whether the field is an ECS field
  
  name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  response_actions array[object]
  
  One of:
  Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .osquery.
  
  params object Required
  
  Additional properties are allowed.
  
  Hide params attributes Show params attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  pack_id string
  
  queries array[object]
  
  Hide queries attributes Show queries attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  Query ID
  
  platform string
  
  query string Required
  
  Query to run
  
  removed boolean
  
  snapshot boolean
  
  version string
  
  Query version
  
  query string
  
  saved_query_id string
  
  timeout number
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .endpoint.
  
  params object Required
  
  One of:
  Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object
  
  Hide attributes Show attributes
  
  command string Required
  
  Value is isolate.
  
  comment string
  
  Hide attributes Show attributes
  
  command string Required
  
  Values are kill-process or suspend-process.
  
  comment string
  
  config object Required
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  field string Required
  
  Field to use instead of process.pid
  
  overwrite boolean
  
  Whether to overwrite field with process.pid
  
  Default value is true.
  
  risk_score integer Required
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  risk_score_mapping array[object] Required
  
  Overrides generated alerts' risk_score with a value from the source event
  
  Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  value string Required
  
  rule_name_override string
  
  Sets the source field for the alert's signal.rule.name value
  
  setup string Required
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  severity_mapping array[object] Required
  
  Overrides generated alerts' severity with values from the source event
  
  Hide severity_mapping attributes Show severity_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  value string Required
  
  tags array[string] Required
  
  String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
  
  threat array[object] Required
  
  Hide threat attributes Show threat attributes object
  
  framework string Required
  
  Relevant attack framework
  
  tactic object Required
  
  Additional properties are allowed.
  
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
  
  technique array[object]
  
  Array containing information on the attack techniques (optional)
  
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
  
  throttle string | null
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  timeline_id string
  
  Timeline template ID
  
  timeline_title string
  
  Timeline template title
  
  timestamp_override string
  
  Sets the time field used to query indices
  
  timestamp_override_fallback_disabled boolean
  
  Disables the fallback to the event's @timestamp field
  
  to string Required
  
  version integer Required
  
  The rule's version number.
  
  Minimum value is 1.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  execution_summary object
  
  Additional properties are allowed.
  
  Hide execution_summary attribute Show execution_summary attribute object
  
  last_execution object Required
  
  Additional properties are allowed.
  
  Hide last_execution attributes Show last_execution attributes object
  
  date string(date-time) Required
  
  Date of the last execution
  
  message string Required
  
  metrics object Required
  
  Additional properties are allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  execution_gap_duration_s integer
  
  Duration in seconds of execution gap
  
  Minimum value is 0.
  
  gap_range object
  
  Range of the execution gap
  
  Additional properties are allowed.
  
  Hide gap_range attributes Show gap_range attributes object
  
  gte string Required
  
  Start date of the execution gap
  
  lte string Required
  
  End date of the execution gap
  
  total_enrichment_duration_ms integer
  
  Total time spent enriching documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_indexing_duration_ms integer
  
  Total time spent indexing documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_search_duration_ms integer
  
  Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
  
  Minimum value is 0.
  
  status string Required
  
  Status of the last execution
  
  Values are going to run, running, partial failure, failed, or succeeded.
  
  status_order integer Required
  
  id string(uuid) Required
  
  A universally unique identifier
  
  immutable boolean Required Deprecated
  
  This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.
  
  revision integer Required
  
  Minimum value is 0.
  
  rule_id string Required
  
  Could be any string, not necessarily a UUID
  
  rule_source object Required
  
  Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
  
  One of:
  Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object
  
  Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
  
  Hide attributes Show attributes
  
  is_customized boolean Required
  
  Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
  
  type string Required Discriminator
  
  Value is external.
  
  updated_at string(date-time) Required
  
  updated_by string Required
  
  language string Required
  
  Query language to use
  
  Value is eql.
  
  query string Required
  
  EQL query to execute
  
  type string Required Discriminator
  
  Rule type
  
  Value is eql.
  
  alert_suppression object
  
  Additional properties are allowed.
  
  Hide alert_suppression attributes Show alert_suppression attributes object
  
  duration object
  
  Additional properties are allowed.
  
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
  
  group_by array[string] Required
  
  At least 1 but not more than 3 elements.
  
  missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
  
  data_view_id string
  
  event_category_override string
  
  filters array
  
  index array[string]
  
  tiebreaker_field string
  
  Sets a secondary field for sorting events
  
  timestamp_field string
  
  Contains the event timestamp used for sorting a sequence of events
  
  Hide attributes Show attributes
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  action_type_id string Required
  
  The action type used for sending notifications.
  
  alerts_filter object
  
  Additional properties are allowed.
  
  frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
  
  id string Required
  
  The connector ID.
  
  params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
  
  uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  alias_target_id string
  
  author array[string] Required
  
  building_block_type string
  
  Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
  
  description string Required
  
  Minimum length is 1.
  
  enabled boolean Required
  
  Determines whether the rule is enabled.
  
  exceptions_list array[object] Required
  
  Hide exceptions_list attributes Show exceptions_list attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
  
  type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  false_positives array[string] Required
  
  from string(date-math) Required
  
  Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
  
  interval string Required
  
  Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
  
  investigation_fields object
  
  Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
  
  const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
  
  Additional properties are allowed.
  
  Hide investigation_fields attribute Show investigation_fields attribute object
  
  field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  license string
  
  The rule's license.
  
  max_signals integer Required
  
  Minimum value is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string Required
  
  Minimum length is 1.
  
  namespace string
  
  Has no effect.
  
  note string
  
  Notes to help investigate alerts produced by the rule.
  
  outcome string
  
  Values are exactMatch, aliasMatch, or conflict.
  
  output_index string Deprecated
  
  (deprecated) Has no effect.
  
  references array[string] Required
  
  related_integrations array[object] Required
  
  Hide related_integrations attributes Show related_integrations attributes object
  
  integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  required_fields array[object] Required
  
  Hide required_fields attributes Show required_fields attributes object
  
  ecs boolean Required
  
  Whether the field is an ECS field
  
  name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  response_actions array[object]
  
  One of:
  Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .osquery.
  
  params object Required
  
  Additional properties are allowed.
  
  Hide params attributes Show params attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  pack_id string
  
  queries array[object]
  
  Hide queries attributes Show queries attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  Query ID
  
  platform string
  
  query string Required
  
  Query to run
  
  removed boolean
  
  snapshot boolean
  
  version string
  
  Query version
  
  query string
  
  saved_query_id string
  
  timeout number
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .endpoint.
  
  params object Required
  
  One of:
  Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object
  
  Hide attributes Show attributes
  
  command string Required
  
  Value is isolate.
  
  comment string
  
  Hide attributes Show attributes
  
  command string Required
  
  Values are kill-process or suspend-process.
  
  comment string
  
  config object Required
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  field string Required
  
  Field to use instead of process.pid
  
  overwrite boolean
  
  Whether to overwrite field with process.pid
  
  Default value is true.
  
  risk_score integer Required
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  risk_score_mapping array[object] Required
  
  Overrides generated alerts' risk_score with a value from the source event
  
  Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  value string Required
  
  rule_name_override string
  
  Sets the source field for the alert's signal.rule.name value
  
  setup string Required
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  severity_mapping array[object] Required
  
  Overrides generated alerts' severity with values from the source event
  
  Hide severity_mapping attributes Show severity_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  value string Required
  
  tags array[string] Required
  
  String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
  
  threat array[object] Required
  
  Hide threat attributes Show threat attributes object
  
  framework string Required
  
  Relevant attack framework
  
  tactic object Required
  
  Additional properties are allowed.
  
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
  
  technique array[object]
  
  Array containing information on the attack techniques (optional)
  
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
  
  throttle string | null
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  timeline_id string
  
  Timeline template ID
  
  timeline_title string
  
  Timeline template title
  
  timestamp_override string
  
  Sets the time field used to query indices
  
  timestamp_override_fallback_disabled boolean
  
  Disables the fallback to the event's @timestamp field
  
  to string Required
  
  version integer Required
  
  The rule's version number.
  
  Minimum value is 1.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  execution_summary object
  
  Additional properties are allowed.
  
  Hide execution_summary attribute Show execution_summary attribute object
  
  last_execution object Required
  
  Additional properties are allowed.
  
  Hide last_execution attributes Show last_execution attributes object
  
  date string(date-time) Required
  
  Date of the last execution
  
  message string Required
  
  metrics object Required
  
  Additional properties are allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  execution_gap_duration_s integer
  
  Duration in seconds of execution gap
  
  Minimum value is 0.
  
  gap_range object
  
  Range of the execution gap
  
  Additional properties are allowed.
  
  Hide gap_range attributes Show gap_range attributes object
  
  gte string Required
  
  Start date of the execution gap
  
  lte string Required
  
  End date of the execution gap
  
  total_enrichment_duration_ms integer
  
  Total time spent enriching documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_indexing_duration_ms integer
  
  Total time spent indexing documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_search_duration_ms integer
  
  Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
  
  Minimum value is 0.
  
  status string Required
  
  Status of the last execution
  
  Values are going to run, running, partial failure, failed, or succeeded.
  
  status_order integer Required
  
  id string(uuid) Required
  
  A universally unique identifier
  
  immutable boolean Required Deprecated
  
  This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.
  
  revision integer Required
  
  Minimum value is 0.
  
  rule_id string Required
  
  Could be any string, not necessarily a UUID
  
  rule_source object Required
  
  Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
  
  One of:
  Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object
  
  Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
  
  Hide attributes Show attributes
  
  is_customized boolean Required
  
  Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
  
  type string Required Discriminator
  
  Value is external.
  
  updated_at string(date-time) Required
  
  updated_by string Required
  
  type string Required Discriminator
  
  Rule type
  
  Value is query.
  
  alert_suppression object
  
  Additional properties are allowed.
  
  Hide alert_suppression attributes Show alert_suppression attributes object
  
  duration object
  
  Additional properties are allowed.
  
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
  
  group_by array[string] Required
  
  At least 1 but not more than 3 elements.
  
  missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
  
  data_view_id string
  
  filters array
  
  index array[string]
  
  saved_id string
  
  language string Required
  
  Values are kuery or lucene.
  
  query string Required
  
  EQL query to execute
  
  Hide attributes Show attributes
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  action_type_id string Required
  
  The action type used for sending notifications.
  
  alerts_filter object
  
  Additional properties are allowed.
  
  frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
  
  id string Required
  
  The connector ID.
  
  params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
  
  uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  alias_target_id string
  
  author array[string] Required
  
  building_block_type string
  
  Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
  
  description string Required
  
  Minimum length is 1.
  
  enabled boolean Required
  
  Determines whether the rule is enabled.
  
  exceptions_list array[object] Required
  
  Hide exceptions_list attributes Show exceptions_list attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
  
  type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  false_positives array[string] Required
  
  from string(date-math) Required
  
  Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
  
  interval string Required
  
  Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
  
  investigation_fields object
  
  Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
  
  const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
  
  Additional properties are allowed.
  
  Hide investigation_fields attribute Show investigation_fields attribute object
  
  field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  license string
  
  The rule's license.
  
  max_signals integer Required
  
  Minimum value is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string Required
  
  Minimum length is 1.
  
  namespace string
  
  Has no effect.
  
  note string
  
  Notes to help investigate alerts produced by the rule.
  
  outcome string
  
  Values are exactMatch, aliasMatch, or conflict.
  
  output_index string Deprecated
  
  (deprecated) Has no effect.
  
  references array[string] Required
  
  related_integrations array[object] Required
  
  Hide related_integrations attributes Show related_integrations attributes object
  
  integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  required_fields array[object] Required
  
  Hide required_fields attributes Show required_fields attributes object
  
  ecs boolean Required
  
  Whether the field is an ECS field
  
  name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  response_actions array[object]
  
  One of:
  Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .osquery.
  
  params object Required
  
  Additional properties are allowed.
  
  Hide params attributes Show params attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  pack_id string
  
  queries array[object]
  
  Hide queries attributes Show queries attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  Query ID
  
  platform string
  
  query string Required
  
  Query to run
  
  removed boolean
  
  snapshot boolean
  
  version string
  
  Query version
  
  query string
  
  saved_query_id string
  
  timeout number
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .endpoint.
  
  params object Required
  
  One of:
  Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object
  
  Hide attributes Show attributes
  
  command string Required
  
  Value is isolate.
  
  comment string
  
  Hide attributes Show attributes
  
  command string Required
  
  Values are kill-process or suspend-process.
  
  comment string
  
  config object Required
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  field string Required
  
  Field to use instead of process.pid
  
  overwrite boolean
  
  Whether to overwrite field with process.pid
  
  Default value is true.
  
  risk_score integer Required
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  risk_score_mapping array[object] Required
  
  Overrides generated alerts' risk_score with a value from the source event
  
  Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  value string Required
  
  rule_name_override string
  
  Sets the source field for the alert's signal.rule.name value
  
  setup string Required
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  severity_mapping array[object] Required
  
  Overrides generated alerts' severity with values from the source event
  
  Hide severity_mapping attributes Show severity_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  value string Required
  
  tags array[string] Required
  
  String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
  
  threat array[object] Required
  
  Hide threat attributes Show threat attributes object
  
  framework string Required
  
  Relevant attack framework
  
  tactic object Required
  
  Additional properties are allowed.
  
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
  
  technique array[object]
  
  Array containing information on the attack techniques (optional)
  
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
  
  throttle string | null
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  timeline_id string
  
  Timeline template ID
  
  timeline_title string
  
  Timeline template title
  
  timestamp_override string
  
  Sets the time field used to query indices
  
  timestamp_override_fallback_disabled boolean
  
  Disables the fallback to the event's @timestamp field
  
  to string Required
  
  version integer Required
  
  The rule's version number.
  
  Minimum value is 1.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  execution_summary object
  
  Additional properties are allowed.
  
  Hide execution_summary attribute Show execution_summary attribute object
  
  last_execution object Required
  
  Additional properties are allowed.
  
  Hide last_execution attributes Show last_execution attributes object
  
  date string(date-time) Required
  
  Date of the last execution
  
  message string Required
  
  metrics object Required
  
  Additional properties are allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  execution_gap_duration_s integer
  
  Duration in seconds of execution gap
  
  Minimum value is 0.
  
  gap_range object
  
  Range of the execution gap
  
  Additional properties are allowed.
  
  Hide gap_range attributes Show gap_range attributes object
  
  gte string Required
  
  Start date of the execution gap
  
  lte string Required
  
  End date of the execution gap
  
  total_enrichment_duration_ms integer
  
  Total time spent enriching documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_indexing_duration_ms integer
  
  Total time spent indexing documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_search_duration_ms integer
  
  Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
  
  Minimum value is 0.
  
  status string Required
  
  Status of the last execution
  
  Values are going to run, running, partial failure, failed, or succeeded.
  
  status_order integer Required
  
  id string(uuid) Required
  
  A universally unique identifier
  
  immutable boolean Required Deprecated
  
  This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.
  
  revision integer Required
  
  Minimum value is 0.
  
  rule_id string Required
  
  Could be any string, not necessarily a UUID
  
  rule_source object Required
  
  Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
  
  One of:
  Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object
  
  Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
  
  Hide attributes Show attributes
  
  is_customized boolean Required
  
  Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
  
  type string Required Discriminator
  
  Value is external.
  
  updated_at string(date-time) Required
  
  updated_by string Required
  
  saved_id string Required
  
  type string Required Discriminator
  
  Rule type
  
  Value is saved_query.
  
  alert_suppression object
  
  Additional properties are allowed.
  
  Hide alert_suppression attributes Show alert_suppression attributes object
  
  duration object
  
  Additional properties are allowed.
  
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
  
  group_by array[string] Required
  
  At least 1 but not more than 3 elements.
  
  missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
  
  data_view_id string
  
  filters array
  
  index array[string]
  
  query string
  
  EQL query to execute
  
  language string Required
  
  Values are kuery or lucene.
  
  Hide attributes Show attributes
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  action_type_id string Required
  
  The action type used for sending notifications.
  
  alerts_filter object
  
  Additional properties are allowed.
  
  frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
  
  id string Required
  
  The connector ID.
  
  params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
  
  uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  alias_target_id string
  
  author array[string] Required
  
  building_block_type string
  
  Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
  
  description string Required
  
  Minimum length is 1.
  
  enabled boolean Required
  
  Determines whether the rule is enabled.
  
  exceptions_list array[object] Required
  
  Hide exceptions_list attributes Show exceptions_list attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
  
  type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  false_positives array[string] Required
  
  from string(date-math) Required
  
  Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
  
  interval string Required
  
  Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
  
  investigation_fields object
  
  Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
  
  const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
  
  Additional properties are allowed.
  
  Hide investigation_fields attribute Show investigation_fields attribute object
  
  field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  license string
  
  The rule's license.
  
  max_signals integer Required
  
  Minimum value is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string Required
  
  Minimum length is 1.
  
  namespace string
  
  Has no effect.
  
  note string
  
  Notes to help investigate alerts produced by the rule.
  
  outcome string
  
  Values are exactMatch, aliasMatch, or conflict.
  
  output_index string Deprecated
  
  (deprecated) Has no effect.
  
  references array[string] Required
  
  related_integrations array[object] Required
  
  Hide related_integrations attributes Show related_integrations attributes object
  
  integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  required_fields array[object] Required
  
  Hide required_fields attributes Show required_fields attributes object
  
  ecs boolean Required
  
  Whether the field is an ECS field
  
  name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  response_actions array[object]
  
  One of:
  Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .osquery.
  
  params object Required
  
  Additional properties are allowed.
  
  Hide params attributes Show params attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  pack_id string
  
  queries array[object]
  
  Hide queries attributes Show queries attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  Query ID
  
  platform string
  
  query string Required
  
  Query to run
  
  removed boolean
  
  snapshot boolean
  
  version string
  
  Query version
  
  query string
  
  saved_query_id string
  
  timeout number
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .endpoint.
  
  params object Required
  
  One of:
  Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object
  
  Hide attributes Show attributes
  
  command string Required
  
  Value is isolate.
  
  comment string
  
  Hide attributes Show attributes
  
  command string Required
  
  Values are kill-process or suspend-process.
  
  comment string
  
  config object Required
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  field string Required
  
  Field to use instead of process.pid
  
  overwrite boolean
  
  Whether to overwrite field with process.pid
  
  Default value is true.
  
  risk_score integer Required
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  risk_score_mapping array[object] Required
  
  Overrides generated alerts' risk_score with a value from the source event
  
  Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  value string Required
  
  rule_name_override string
  
  Sets the source field for the alert's signal.rule.name value
  
  setup string Required
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  severity_mapping array[object] Required
  
  Overrides generated alerts' severity with values from the source event
  
  Hide severity_mapping attributes Show severity_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  value string Required
  
  tags array[string] Required
  
  String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
  
  threat array[object] Required
  
  Hide threat attributes Show threat attributes object
  
  framework string Required
  
  Relevant attack framework
  
  tactic object Required
  
  Additional properties are allowed.
  
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
  
  technique array[object]
  
  Array containing information on the attack techniques (optional)
  
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
  
  throttle string | null
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  timeline_id string
  
  Timeline template ID
  
  timeline_title string
  
  Timeline template title
  
  timestamp_override string
  
  Sets the time field used to query indices
  
  timestamp_override_fallback_disabled boolean
  
  Disables the fallback to the event's @timestamp field
  
  to string Required
  
  version integer Required
  
  The rule's version number.
  
  Minimum value is 1.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  execution_summary object
  
  Additional properties are allowed.
  
  Hide execution_summary attribute Show execution_summary attribute object
  
  last_execution object Required
  
  Additional properties are allowed.
  
  Hide last_execution attributes Show last_execution attributes object
  
  date string(date-time) Required
  
  Date of the last execution
  
  message string Required
  
  metrics object Required
  
  Additional properties are allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  execution_gap_duration_s integer
  
  Duration in seconds of execution gap
  
  Minimum value is 0.
  
  gap_range object
  
  Range of the execution gap
  
  Additional properties are allowed.
  
  Hide gap_range attributes Show gap_range attributes object
  
  gte string Required
  
  Start date of the execution gap
  
  lte string Required
  
  End date of the execution gap
  
  total_enrichment_duration_ms integer
  
  Total time spent enriching documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_indexing_duration_ms integer
  
  Total time spent indexing documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_search_duration_ms integer
  
  Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
  
  Minimum value is 0.
  
  status string Required
  
  Status of the last execution
  
  Values are going to run, running, partial failure, failed, or succeeded.
  
  status_order integer Required
  
  id string(uuid) Required
  
  A universally unique identifier
  
  immutable boolean Required Deprecated
  
  This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.
  
  revision integer Required
  
  Minimum value is 0.
  
  rule_id string Required
  
  Could be any string, not necessarily a UUID
  
  rule_source object Required
  
  Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
  
  One of:
  Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object
  
  Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
  
  Hide attributes Show attributes
  
  is_customized boolean Required
  
  Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
  
  type string Required Discriminator
  
  Value is external.
  
  updated_at string(date-time) Required
  
  updated_by string Required
  
  query string Required
  
  EQL query to execute
  
  threshold object Required
  
  Additional properties are allowed.
  
  Hide threshold attributes Show threshold attributes object
  
  cardinality array[object]
  
  Hide cardinality attributes Show cardinality attributes object
  
  field string Required
  
  value integer Required
  
  Minimum value is 0.
  
  field string | array[string] Required
  
  Field to aggregate on
  
  One of:
  string-1 string array-2 array[string]
  
  value integer Required
  
  Threshold value
  
  Minimum value is 1.
  
  type string Required Discriminator
  
  Rule type
  
  Value is threshold.
  
  alert_suppression object
  
  Additional properties are allowed.
  
  Hide alert_suppression attribute Show alert_suppression attribute object
  
  duration object Required
  
  Additional properties are allowed.
  
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
  
  data_view_id string
  
  filters array
  
  index array[string]
  
  saved_id string
  
  language string Required
  
  Values are kuery or lucene.
  
  Hide attributes Show attributes
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  action_type_id string Required
  
  The action type used for sending notifications.
  
  alerts_filter object
  
  Additional properties are allowed.
  
  frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
  
  id string Required
  
  The connector ID.
  
  params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
  
  uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  alias_target_id string
  
  author array[string] Required
  
  building_block_type string
  
  Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
  
  description string Required
  
  Minimum length is 1.
  
  enabled boolean Required
  
  Determines whether the rule is enabled.
  
  exceptions_list array[object] Required
  
  Hide exceptions_list attributes Show exceptions_list attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
  
  type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  false_positives array[string] Required
  
  from string(date-math) Required
  
  Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
  
  interval string Required
  
  Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
  
  investigation_fields object
  
  Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
  
  const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
  
  Additional properties are allowed.
  
  Hide investigation_fields attribute Show investigation_fields attribute object
  
  field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  license string
  
  The rule's license.
  
  max_signals integer Required
  
  Minimum value is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string Required
  
  Minimum length is 1.
  
  namespace string
  
  Has no effect.
  
  note string
  
  Notes to help investigate alerts produced by the rule.
  
  outcome string
  
  Values are exactMatch, aliasMatch, or conflict.
  
  output_index string Deprecated
  
  (deprecated) Has no effect.
  
  references array[string] Required
  
  related_integrations array[object] Required
  
  Hide related_integrations attributes Show related_integrations attributes object
  
  integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  required_fields array[object] Required
  
  Hide required_fields attributes Show required_fields attributes object
  
  ecs boolean Required
  
  Whether the field is an ECS field
  
  name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  response_actions array[object]
  
  One of:
  Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .osquery.
  
  params object Required
  
  Additional properties are allowed.
  
  Hide params attributes Show params attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  pack_id string
  
  queries array[object]
  
  Hide queries attributes Show queries attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  Query ID
  
  platform string
  
  query string Required
  
  Query to run
  
  removed boolean
  
  snapshot boolean
  
  version string
  
  Query version
  
  query string
  
  saved_query_id string
  
  timeout number
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .endpoint.
  
  params object Required
  
  One of:
  Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object
  
  Hide attributes Show attributes
  
  command string Required
  
  Value is isolate.
  
  comment string
  
  Hide attributes Show attributes
  
  command string Required
  
  Values are kill-process or suspend-process.
  
  comment string
  
  config object Required
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  field string Required
  
  Field to use instead of process.pid
  
  overwrite boolean
  
  Whether to overwrite field with process.pid
  
  Default value is true.
  
  risk_score integer Required
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  risk_score_mapping array[object] Required
  
  Overrides generated alerts' risk_score with a value from the source event
  
  Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  value string Required
  
  rule_name_override string
  
  Sets the source field for the alert's signal.rule.name value
  
  setup string Required
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  severity_mapping array[object] Required
  
  Overrides generated alerts' severity with values from the source event
  
  Hide severity_mapping attributes Show severity_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  value string Required
  
  tags array[string] Required
  
  String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
  
  threat array[object] Required
  
  Hide threat attributes Show threat attributes object
  
  framework string Required
  
  Relevant attack framework
  
  tactic object Required
  
  Additional properties are allowed.
  
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
  
  technique array[object]
  
  Array containing information on the attack techniques (optional)
  
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
  
  throttle string | null
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  timeline_id string
  
  Timeline template ID
  
  timeline_title string
  
  Timeline template title
  
  timestamp_override string
  
  Sets the time field used to query indices
  
  timestamp_override_fallback_disabled boolean
  
  Disables the fallback to the event's @timestamp field
  
  to string Required
  
  version integer Required
  
  The rule's version number.
  
  Minimum value is 1.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  execution_summary object
  
  Additional properties are allowed.
  
  Hide execution_summary attribute Show execution_summary attribute object
  
  last_execution object Required
  
  Additional properties are allowed.
  
  Hide last_execution attributes Show last_execution attributes object
  
  date string(date-time) Required
  
  Date of the last execution
  
  message string Required
  
  metrics object Required
  
  Additional properties are allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  execution_gap_duration_s integer
  
  Duration in seconds of execution gap
  
  Minimum value is 0.
  
  gap_range object
  
  Range of the execution gap
  
  Additional properties are allowed.
  
  Hide gap_range attributes Show gap_range attributes object
  
  gte string Required
  
  Start date of the execution gap
  
  lte string Required
  
  End date of the execution gap
  
  total_enrichment_duration_ms integer
  
  Total time spent enriching documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_indexing_duration_ms integer
  
  Total time spent indexing documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_search_duration_ms integer
  
  Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
  
  Minimum value is 0.
  
  status string Required
  
  Status of the last execution
  
  Values are going to run, running, partial failure, failed, or succeeded.
  
  status_order integer Required
  
  id string(uuid) Required
  
  A universally unique identifier
  
  immutable boolean Required Deprecated
  
  This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.
  
  revision integer Required
  
  Minimum value is 0.
  
  rule_id string Required
  
  Could be any string, not necessarily a UUID
  
  rule_source object Required
  
  Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
  
  One of:
  Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object
  
  Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
  
  Hide attributes Show attributes
  
  is_customized boolean Required
  
  Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
  
  type string Required Discriminator
  
  Value is external.
  
  updated_at string(date-time) Required
  
  updated_by string Required
  
  query string Required
  
  EQL query to execute
  
  threat_index array[string] Required
  
  threat_mapping array[object] Required
  
  At least 1 element.
  
  Hide threat_mapping attribute Show threat_mapping attribute object
  
  entries array[object] Required
  
  Hide entries attributes Show entries attributes object
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required
  
  Value is mapping.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  threat_query string Required
  
  Query to run
  
  type string Required Discriminator
  
  Rule type
  
  Value is threat_match.
  
  alert_suppression object
  
  Additional properties are allowed.
  
  Hide alert_suppression attributes Show alert_suppression attributes object
  
  duration object
  
  Additional properties are allowed.
  
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
  
  group_by array[string] Required
  
  At least 1 but not more than 3 elements.
  
  missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
  
  concurrent_searches integer
  
  Minimum value is 1.
  
  data_view_id string
  
  filters array
  
  index array[string]
  
  items_per_search integer
  
  Minimum value is 1.
  
  saved_id string
  
  threat_filters array
  
  Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
  
  threat_indicator_path string
  
  Defines the path to the threat indicator in the indicator documents (optional)
  
  threat_language string
  
  Values are kuery or lucene.
  
  language string Required
  
  Values are kuery or lucene.
  
  Hide attributes Show attributes
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  action_type_id string Required
  
  The action type used for sending notifications.
  
  alerts_filter object
  
  Additional properties are allowed.
  
  frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
  
  id string Required
  
  The connector ID.
  
  params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
  
  uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  alias_target_id string
  
  author array[string] Required
  
  building_block_type string
  
  Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
  
  description string Required
  
  Minimum length is 1.
  
  enabled boolean Required
  
  Determines whether the rule is enabled.
  
  exceptions_list array[object] Required
  
  Hide exceptions_list attributes Show exceptions_list attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
  
  type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  false_positives array[string] Required
  
  from string(date-math) Required
  
  Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
  
  interval string Required
  
  Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
  
  investigation_fields object
  
  Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
  
  const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
  
  Additional properties are allowed.
  
  Hide investigation_fields attribute Show investigation_fields attribute object
  
  field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  license string
  
  The rule's license.
  
  max_signals integer Required
  
  Minimum value is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string Required
  
  Minimum length is 1.
  
  namespace string
  
  Has no effect.
  
  note string
  
  Notes to help investigate alerts produced by the rule.
  
  outcome string
  
  Values are exactMatch, aliasMatch, or conflict.
  
  output_index string Deprecated
  
  (deprecated) Has no effect.
  
  references array[string] Required
  
  related_integrations array[object] Required
  
  Hide related_integrations attributes Show related_integrations attributes object
  
  integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  required_fields array[object] Required
  
  Hide required_fields attributes Show required_fields attributes object
  
  ecs boolean Required
  
  Whether the field is an ECS field
  
  name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  response_actions array[object]
  
  One of:
  Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .osquery.
  
  params object Required
  
  Additional properties are allowed.
  
  Hide params attributes Show params attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  pack_id string
  
  queries array[object]
  
  Hide queries attributes Show queries attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  Query ID
  
  platform string
  
  query string Required
  
  Query to run
  
  removed boolean
  
  snapshot boolean
  
  version string
  
  Query version
  
  query string
  
  saved_query_id string
  
  timeout number
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .endpoint.
  
  params object Required
  
  One of:
  Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object
  
  Hide attributes Show attributes
  
  command string Required
  
  Value is isolate.
  
  comment string
  
  Hide attributes Show attributes
  
  command string Required
  
  Values are kill-process or suspend-process.
  
  comment string
  
  config object Required
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  field string Required
  
  Field to use instead of process.pid
  
  overwrite boolean
  
  Whether to overwrite field with process.pid
  
  Default value is true.
  
  risk_score integer Required
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  risk_score_mapping array[object] Required
  
  Overrides generated alerts' risk_score with a value from the source event
  
  Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  value string Required
  
  rule_name_override string
  
  Sets the source field for the alert's signal.rule.name value
  
  setup string Required
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  severity_mapping array[object] Required
  
  Overrides generated alerts' severity with values from the source event
  
  Hide severity_mapping attributes Show severity_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  value string Required
  
  tags array[string] Required
  
  String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
  
  threat array[object] Required
  
  Hide threat attributes Show threat attributes object
  
  framework string Required
  
  Relevant attack framework
  
  tactic object Required
  
  Additional properties are allowed.
  
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
  
  technique array[object]
  
  Array containing information on the attack techniques (optional)
  
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
  
  throttle string | null
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  timeline_id string
  
  Timeline template ID
  
  timeline_title string
  
  Timeline template title
  
  timestamp_override string
  
  Sets the time field used to query indices
  
  timestamp_override_fallback_disabled boolean
  
  Disables the fallback to the event's @timestamp field
  
  to string Required
  
  version integer Required
  
  The rule's version number.
  
  Minimum value is 1.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  execution_summary object
  
  Additional properties are allowed.
  
  Hide execution_summary attribute Show execution_summary attribute object
  
  last_execution object Required
  
  Additional properties are allowed.
  
  Hide last_execution attributes Show last_execution attributes object
  
  date string(date-time) Required
  
  Date of the last execution
  
  message string Required
  
  metrics object Required
  
  Additional properties are allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  execution_gap_duration_s integer
  
  Duration in seconds of execution gap
  
  Minimum value is 0.
  
  gap_range object
  
  Range of the execution gap
  
  Additional properties are allowed.
  
  Hide gap_range attributes Show gap_range attributes object
  
  gte string Required
  
  Start date of the execution gap
  
  lte string Required
  
  End date of the execution gap
  
  total_enrichment_duration_ms integer
  
  Total time spent enriching documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_indexing_duration_ms integer
  
  Total time spent indexing documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_search_duration_ms integer
  
  Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
  
  Minimum value is 0.
  
  status string Required
  
  Status of the last execution
  
  Values are going to run, running, partial failure, failed, or succeeded.
  
  status_order integer Required
  
  id string(uuid) Required
  
  A universally unique identifier
  
  immutable boolean Required Deprecated
  
  This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.
  
  revision integer Required
  
  Minimum value is 0.
  
  rule_id string Required
  
  Could be any string, not necessarily a UUID
  
  rule_source object Required
  
  Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
  
  One of:
  Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object
  
  Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
  
  Hide attributes Show attributes
  
  is_customized boolean Required
  
  Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
  
  type string Required Discriminator
  
  Value is external.
  
  updated_at string(date-time) Required
  
  updated_by string Required
  
  anomaly_threshold integer Required
  
  Anomaly threshold
  
  Minimum value is 0.
  
  machine_learning_job_id string | array[string] Required
  
  Machine learning job ID
  
  One of:
  string-1 string array-2 array[string]
  
  type string Required Discriminator
  
  Rule type
  
  Value is machine_learning.
  
  alert_suppression object
  
  Additional properties are allowed.
  
  Hide alert_suppression attributes Show alert_suppression attributes object
  
  duration object
  
  Additional properties are allowed.
  
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
  
  group_by array[string] Required
  
  At least 1 but not more than 3 elements.
  
  missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
  
  Hide attributes Show attributes
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  action_type_id string Required
  
  The action type used for sending notifications.
  
  alerts_filter object
  
  Additional properties are allowed.
  
  frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
  
  id string Required
  
  The connector ID.
  
  params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
  
  uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  alias_target_id string
  
  author array[string] Required
  
  building_block_type string
  
  Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
  
  description string Required
  
  Minimum length is 1.
  
  enabled boolean Required
  
  Determines whether the rule is enabled.
  
  exceptions_list array[object] Required
  
  Hide exceptions_list attributes Show exceptions_list attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
  
  type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  false_positives array[string] Required
  
  from string(date-math) Required
  
  Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
  
  interval string Required
  
  Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
  
  investigation_fields object
  
  Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
  
  const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
  
  Additional properties are allowed.
  
  Hide investigation_fields attribute Show investigation_fields attribute object
  
  field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  license string
  
  The rule's license.
  
  max_signals integer Required
  
  Minimum value is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string Required
  
  Minimum length is 1.
  
  namespace string
  
  Has no effect.
  
  note string
  
  Notes to help investigate alerts produced by the rule.
  
  outcome string
  
  Values are exactMatch, aliasMatch, or conflict.
  
  output_index string Deprecated
  
  (deprecated) Has no effect.
  
  references array[string] Required
  
  related_integrations array[object] Required
  
  Hide related_integrations attributes Show related_integrations attributes object
  
  integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  required_fields array[object] Required
  
  Hide required_fields attributes Show required_fields attributes object
  
  ecs boolean Required
  
  Whether the field is an ECS field
  
  name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  response_actions array[object]
  
  One of:
  Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .osquery.
  
  params object Required
  
  Additional properties are allowed.
  
  Hide params attributes Show params attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  pack_id string
  
  queries array[object]
  
  Hide queries attributes Show queries attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  Query ID
  
  platform string
  
  query string Required
  
  Query to run
  
  removed boolean
  
  snapshot boolean
  
  version string
  
  Query version
  
  query string
  
  saved_query_id string
  
  timeout number
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .endpoint.
  
  params object Required
  
  One of:
  Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object
  
  Hide attributes Show attributes
  
  command string Required
  
  Value is isolate.
  
  comment string
  
  Hide attributes Show attributes
  
  command string Required
  
  Values are kill-process or suspend-process.
  
  comment string
  
  config object Required
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  field string Required
  
  Field to use instead of process.pid
  
  overwrite boolean
  
  Whether to overwrite field with process.pid
  
  Default value is true.
  
  risk_score integer Required
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  risk_score_mapping array[object] Required
  
  Overrides generated alerts' risk_score with a value from the source event
  
  Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  value string Required
  
  rule_name_override string
  
  Sets the source field for the alert's signal.rule.name value
  
  setup string Required
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  severity_mapping array[object] Required
  
  Overrides generated alerts' severity with values from the source event
  
  Hide severity_mapping attributes Show severity_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  value string Required
  
  tags array[string] Required
  
  String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
  
  threat array[object] Required
  
  Hide threat attributes Show threat attributes object
  
  framework string Required
  
  Relevant attack framework
  
  tactic object Required
  
  Additional properties are allowed.
  
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
  
  technique array[object]
  
  Array containing information on the attack techniques (optional)
  
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
  
  throttle string | null
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  timeline_id string
  
  Timeline template ID
  
  timeline_title string
  
  Timeline template title
  
  timestamp_override string
  
  Sets the time field used to query indices
  
  timestamp_override_fallback_disabled boolean
  
  Disables the fallback to the event's @timestamp field
  
  to string Required
  
  version integer Required
  
  The rule's version number.
  
  Minimum value is 1.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  execution_summary object
  
  Additional properties are allowed.
  
  Hide execution_summary attribute Show execution_summary attribute object
  
  last_execution object Required
  
  Additional properties are allowed.
  
  Hide last_execution attributes Show last_execution attributes object
  
  date string(date-time) Required
  
  Date of the last execution
  
  message string Required
  
  metrics object Required
  
  Additional properties are allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  execution_gap_duration_s integer
  
  Duration in seconds of execution gap
  
  Minimum value is 0.
  
  gap_range object
  
  Range of the execution gap
  
  Additional properties are allowed.
  
  Hide gap_range attributes Show gap_range attributes object
  
  gte string Required
  
  Start date of the execution gap
  
  lte string Required
  
  End date of the execution gap
  
  total_enrichment_duration_ms integer
  
  Total time spent enriching documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_indexing_duration_ms integer
  
  Total time spent indexing documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_search_duration_ms integer
  
  Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
  
  Minimum value is 0.
  
  status string Required
  
  Status of the last execution
  
  Values are going to run, running, partial failure, failed, or succeeded.
  
  status_order integer Required
  
  id string(uuid) Required
  
  A universally unique identifier
  
  immutable boolean Required Deprecated
  
  This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.
  
  revision integer Required
  
  Minimum value is 0.
  
  rule_id string Required
  
  Could be any string, not necessarily a UUID
  
  rule_source object Required
  
  Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
  
  One of:
  Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object
  
  Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
  
  Hide attributes Show attributes
  
  is_customized boolean Required
  
  Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
  
  type string Required Discriminator
  
  Value is external.
  
  updated_at string(date-time) Required
  
  updated_by string Required
  
  history_window_start string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  new_terms_fields array[string] Required
  
  At least 1 but not more than 3 elements.
  
  query string Required
  
  EQL query to execute
  
  type string Required Discriminator
  
  Rule type
  
  Value is new_terms.
  
  alert_suppression object
  
  Additional properties are allowed.
  
  Hide alert_suppression attributes Show alert_suppression attributes object
  
  duration object
  
  Additional properties are allowed.
  
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
  
  group_by array[string] Required
  
  At least 1 but not more than 3 elements.
  
  missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
  
  data_view_id string
  
  filters array
  
  index array[string]
  
  language string Required
  
  Values are kuery or lucene.
  
  Hide attributes Show attributes
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  action_type_id string Required
  
  The action type used for sending notifications.
  
  alerts_filter object
  
  Additional properties are allowed.
  
  frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
  
  id string Required
  
  The connector ID.
  
  params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
  
  uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  alias_target_id string
  
  author array[string] Required
  
  building_block_type string
  
  Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
  
  description string Required
  
  Minimum length is 1.
  
  enabled boolean Required
  
  Determines whether the rule is enabled.
  
  exceptions_list array[object] Required
  
  Hide exceptions_list attributes Show exceptions_list attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
  
  type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
  
  false_positives array[string] Required
  
  from string(date-math) Required
  
  Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
  
  interval string Required
  
  Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
  
  investigation_fields object
  
  Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
  
  const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
  
  Additional properties are allowed.
  
  Hide investigation_fields attribute Show investigation_fields attribute object
  
  field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  license string
  
  The rule's license.
  
  max_signals integer Required
  
  Minimum value is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string Required
  
  Minimum length is 1.
  
  namespace string
  
  Has no effect.
  
  note string
  
  Notes to help investigate alerts produced by the rule.
  
  outcome string
  
  Values are exactMatch, aliasMatch, or conflict.
  
  output_index string Deprecated
  
  (deprecated) Has no effect.
  
  references array[string] Required
  
  related_integrations array[object] Required
  
  Hide related_integrations attributes Show related_integrations attributes object
  
  integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  required_fields array[object] Required
  
  Hide required_fields attributes Show required_fields attributes object
  
  ecs boolean Required
  
  Whether the field is an ECS field
  
  name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  response_actions array[object]
  
  One of:
  Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .osquery.
  
  params object Required
  
  Additional properties are allowed.
  
  Hide params attributes Show params attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  pack_id string
  
  queries array[object]
  
  Hide queries attributes Show queries attributes object
  
  ecs_mapping object
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  field string
  
  value string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  Query ID
  
  platform string
  
  query string Required
  
  Query to run
  
  removed boolean
  
  snapshot boolean
  
  version string
  
  Query version
  
  query string
  
  saved_query_id string
  
  timeout number
  
  Hide attributes Show attributes
  
  action_type_id string Required
  
  Value is .endpoint.
  
  params object Required
  
  One of:
  Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object
  
  Hide attributes Show attributes
  
  command string Required
  
  Value is isolate.
  
  comment string
  
  Hide attributes Show attributes
  
  command string Required
  
  Values are kill-process or suspend-process.
  
  comment string
  
  config object Required
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  field string Required
  
  Field to use instead of process.pid
  
  overwrite boolean
  
  Whether to overwrite field with process.pid
  
  Default value is true.
  
  risk_score integer Required
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  risk_score_mapping array[object] Required
  
  Overrides generated alerts' risk_score with a value from the source event
  
  Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
  
  value string Required
  
  rule_name_override string
  
  Sets the source field for the alert's signal.rule.name value
  
  setup string Required
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  severity_mapping array[object] Required
  
  Overrides generated alerts' severity with values from the source event
  
  Hide severity_mapping attributes Show severity_mapping attributes object
  
  field string Required
  
  operator string Required
  
  Value is equals.
  
  severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
  
  value string Required
  
  tags array[string] Required
  
  String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
  
  threat array[object] Required
  
  Hide threat attributes Show threat attributes object
  
  framework string Required
  
  Relevant attack framework
  
  tactic object Required
  
  Additional properties are allowed.
  
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
  
  technique array[object]
  
  Array containing information on the attack techniques (optional)
  
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
  
  throttle string | null
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
  
  timeline_id string
  
  Timeline template ID
  
  timeline_title string
  
  Timeline template title
  
  timestamp_override string
  
  Sets the time field used to query indices
  
  timestamp_override_fallback_disabled boolean
  
  Disables the fallback to the event's @timestamp field
  
  to string Required
  
  version integer Required
  
  The rule's version number.
  
  Minimum value is 1.
  
  created_at string(date-time) Required
  
  created_by string Required
  
  execution_summary object
  
  Additional properties are allowed.
  
  Hide execution_summary attribute Show execution_summary attribute object
  
  last_execution object Required
  
  Additional properties are allowed.
  
  Hide last_execution attributes Show last_execution attributes object
  
  date string(date-time) Required
  
  Date of the last execution
  
  message string Required
  
  metrics object Required
  
  Additional properties are allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  execution_gap_duration_s integer
  
  Duration in seconds of execution gap
  
  Minimum value is 0.
  
  gap_range object
  
  Range of the execution gap
  
  Additional properties are allowed.
  
  Hide gap_range attributes Show gap_range attributes object
  
  gte string Required
  
  Start date of the execution gap
  
  lte string Required
  
  End date of the execution gap
  
  total_enrichment_duration_ms integer
  
  Total time spent enriching documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_indexing_duration_ms integer
  
  Total time spent indexing documents during current rule execution cycle
  
  Minimum value is 0.
  
  total_search_duration_ms integer
  
  Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
  
  Minimum value is 0.
  
  status string Required
  
  Status of the last execution
  
  Values are going to run, running, partial failure, failed, or succeeded.
  
  status_order integer Required
  
  id string(uuid) Required
  
  A universally unique identifier
  
  immutable boolean Required Deprecated
  
  This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.
  
  revision integer Required
  
  Minimum value is 0.
  
  rule_id string Required
  
  Could be any string, not necessarily a UUID
  
  rule_source object Required
  
  Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
  
  One of:
  Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object
  
  Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
  
  Hide attributes Show attributes
  
  is_customized boolean Required
  
  Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
  
  type string Required Discriminator
  
  Value is external.
  
  updated_at string(date-time) Required
  
  updated_by string Required
  
  alert_suppression object
  
  Additional properties are allowed.
  
  Hide alert_suppression attributes Show alert_suppression attributes object
  
  duration object
  
  Additional properties are allowed.
  
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
  
  group_by array[string] Required
  
  At least 1 but not more than 3 elements.
  
  missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
  
  language string Required
  
  Value is esql.
  
  query string Required
  
  EQL query to execute
  
  type string Required Discriminator
  
  Rule type
  
  Value is esql.
- page integer Required
- perPage integer Required
- total integer Required

GET /api/detection_engine/rules/_find

curl \
 --request GET https://localhost:5601/api/detection_engine/rules/_find

Response examples (200)

{
  "data": [
    {
      "actions": [
        {
          "action_type_id": "string",
          "alerts_filter": {},
          "frequency": {
            "notifyWhen": "onActiveAlert",
            "summary": true,
            "throttle": "no_actions"
          },
          "group": "string",
          "id": "string",
          "params": {},
          "uuid": "string"
        }
      ],
      "alias_purpose": "savedObjectConversion",
      "alias_target_id": "string",
      "author": [
        "string"
      ],
      "building_block_type": "string",
      "description": "string",
      "enabled": true,
      "exceptions_list": [
        {
          "id": "string",
          "list_id": "string",
          "namespace_type": "agnostic",
          "type": "detection"
        }
      ],
      "false_positives": [
        "string"
      ],
      "from": "string",
      "interval": "string",
      "investigation_fields": {
        "field_names": [
          "string"
        ]
      },
      "license": "string",
      "max_signals": 42,
      "meta": {},
      "name": "string",
      "namespace": "string",
      "note": "string",
      "outcome": "exactMatch",
      "output_index": "string",
      "references": [
        "string"
      ],
      "related_integrations": [
        {
          "integration": "string",
          "package": "string",
          "version": "string"
        }
      ],
      "required_fields": [
        {
          "ecs": true,
          "name": "string",
          "type": "string"
        }
      ],
      "response_actions": [
        {
          "action_type_id": ".osquery",
          "params": {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "pack_id": "string",
            "queries": [
              {
                "ecs_mapping": {
                  "additionalProperty1": {
                    "field": "string",
                    "value": "string"
                  },
                  "additionalProperty2": {
                    "field": "string",
                    "value": "string"
                  }
                },
                "id": "string",
                "platform": "string",
                "query": "string",
                "removed": true,
                "snapshot": true,
                "version": "string"
              }
            ],
            "query": "string",
            "saved_query_id": "string",
            "timeout": 42.0
          }
        }
      ],
      "risk_score": 42,
      "risk_score_mapping": [
        {
          "field": "string",
          "operator": "equals",
          "risk_score": 42,
          "value": "string"
        }
      ],
      "rule_name_override": "string",
      "setup": "string",
      "severity": "low",
      "severity_mapping": [
        {
          "field": "string",
          "operator": "equals",
          "severity": "low",
          "value": "string"
        }
      ],
      "tags": [
        "string"
      ],
      "threat": [
        {
          "framework": "string",
          "tactic": {
            "id": "string",
            "name": "string",
            "reference": "string"
          },
          "technique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string",
              "subtechnique": [
                {
                  "id": "string",
                  "name": "string",
                  "reference": "string"
                }
              ]
            }
          ]
        }
      ],
      "throttle": "no_actions",
      "timeline_id": "string",
      "timeline_title": "string",
      "timestamp_override": "string",
      "timestamp_override_fallback_disabled": true,
      "to": "string",
      "version": 42,
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "execution_summary": {
        "last_execution": {
          "date": "2025-05-04T09:42:00+00:00",
          "message": "string",
          "metrics": {
            "execution_gap_duration_s": 42,
            "gap_range": {
              "gte": "string",
              "lte": "string"
            },
            "total_enrichment_duration_ms": 42,
            "total_indexing_duration_ms": 42,
            "total_search_duration_ms": 42
          },
          "status": "going to run",
          "status_order": 42
        }
      },
      "id": "string",
      "immutable": true,
      "revision": 42,
      "rule_id": "string",
      "rule_source": {
        "is_customized": true,
        "type": "external"
      },
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string",
      "language": "eql",
      "query": "string",
      "type": "eql",
      "alert_suppression": {
        "duration": {
          "unit": "s",
          "value": 42
        },
        "group_by": [
          "string"
        ],
        "missing_fields_strategy": "doNotSuppress"
      },
      "data_view_id": "string",
      "event_category_override": "string",
      "filters": [],
      "index": [
        "string"
      ],
      "tiebreaker_field": "string",
      "timestamp_field": "string"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}

Preview rule alerts generated on specified time range

POST /api/detection_engine/rules/preview

Query parameters

enable_logged_requests boolean

Enables logging and returning in response ES queries, performed during rule execution

application/json

Body object Required

An object containing tags to add or remove and alert ids the changes will be applied

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
language string Required

Query language to use

Value is eql.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is eql.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
event_category_override string
filters array
index array[string]
tiebreaker_field string

Sets a secondary field for sorting events
timestamp_field string

Contains the event timestamp used for sorting a sequence of events
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
type string Required Discriminator

Rule type

Value is query.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
saved_id string
language string

Values are kuery or lucene.
query string

EQL query to execute
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
saved_id string Required
type string Required Discriminator

Rule type

Value is saved_query.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
query string

EQL query to execute
language string

Values are kuery or lucene.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
query string Required

EQL query to execute
threshold object Required

Additional properties are allowed.
Hide threshold attributes Show threshold attributes object
- cardinality array[object]
  Hide cardinality attributes Show cardinality attributes object
  
  field string Required
  
  value integer Required
  
  Minimum value is 0.
- field string | array[string] Required
  
  Field to aggregate on
  
  One of:
  string-1 string array-2 array[string]
- value integer Required
  
  Threshold value
  
  Minimum value is 1.
type string Required Discriminator

Rule type

Value is threshold.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attribute Show alert_suppression attribute object
- duration object Required
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
data_view_id string
filters array
index array[string]
saved_id string
language string

Values are kuery or lucene.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
query string Required

EQL query to execute
threat_index array[string] Required
threat_mapping array[object] Required

At least 1 element.
Hide threat_mapping attribute Show threat_mapping attribute object
- entries array[object] Required
  Hide entries attributes Show entries attributes object
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required
  
  Value is mapping.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
threat_query string Required

Query to run
type string Required Discriminator

Rule type

Value is threat_match.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
concurrent_searches integer

Minimum value is 1.
data_view_id string
filters array
index array[string]
items_per_search integer

Minimum value is 1.
saved_id string
threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)
threat_language string

Values are kuery or lucene.
language string

Values are kuery or lucene.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
anomaly_threshold integer Required

Anomaly threshold

Minimum value is 0.
machine_learning_job_id string | array[string] Required

Machine learning job ID

One of:
string-1 string array-2 array[string]
type string Required Discriminator

Rule type

Value is machine_learning.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
history_window_start string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
new_terms_fields array[string] Required

At least 1 but not more than 3 elements.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is new_terms.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
language string

Values are kuery or lucene.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
language string Required

Value is esql.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is esql.
invocationCount integer Required
timeframeEnd string(date-time) Required

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- isAborted boolean
- logs array[object] Required
  
  Hide logs attributes Show logs attributes object
  
  duration integer Required
  
  Execution duration in milliseconds
  
  errors array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  Minimum length of each is 1.
  
  requests array[object]
  
  Hide requests attributes Show requests attributes object
  
  description string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  duration integer
  
  request string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  request_type string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  startedAt string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  warnings array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  Minimum length of each is 1.
- previewId string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/rules/preview

curl \
 --request POST https://localhost:5601/api/detection_engine/rules/preview \
 --header "Content-Type: application/json" \
 --data '{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string","invocationCount":42,"timeframeEnd":"2025-05-04T09:42:00+00:00"}'

Request examples

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

Response examples (200)

{
  "isAborted": true,
  "logs": [
    {
      "duration": 42,
      "errors": [
        "string"
      ],
      "requests": [
        {
          "description": "string",
          "duration": 42,
          "request": "string",
          "request_type": "string"
        }
      ],
      "startedAt": "string",
      "warnings": [
        "string"
      ]
    }
  ],
  "previewId": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Clean up detection alert migrations Deprecated

DELETE /api/detection_engine/signals/migration

Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted.

While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation.

application/json

Body Required

Array of migration_ids to cleanup

migration_ids array[string] Required

Array of migration_ids to cleanup.

At least 1 element.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- destinationIndex string Required
- error object
  
  Additional properties are allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code integer Required
- id string Required
- sourceIndex string Required
- status string Required
  
  Values are success, failure, or pending.
- updated string(date-time) Required
- version string Required
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/detection_engine/signals/migration

curl \
 --request DELETE https://localhost:5601/api/detection_engine/signals/migration \
 --header "Content-Type: application/json" \
 --data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'

Request example

{
  "migration_ids": [
    "924f7c50-505f-11eb-ae0a-3fa2e626a51d"
  ]
}

Response examples (200)

{
  "migrations": [
    {
      "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "status": "success",
      "updated": "2021-01-06T22:05:56.859Z",
      "version": 16,
      "sourceIndex": ".siem-signals-default-000002",
      "destinationIndex": ".siem-signals-default-000002-r000016"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Retrieve the status of detection alert migrations Deprecated

GET /api/detection_engine/signals/migration_status

Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices.

Query parameters

from string(date-math) Required

Maximum age of qualifying detection alerts

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- indices array[object] Required
  
  Hide indices attributes Show indices attributes object
  
  index string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  is_outdated boolean Required
  
  migrations array[object] Required
  
  Hide migrations attributes Show migrations attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  status string Required
  
  Values are success, failure, or pending.
  
  updated string(date-time) Required
  
  version integer Required
  
  signal_versions array[object] Required
  
  Hide signal_versions attributes Show signal_versions attributes object
  
  count integer Required
  
  version integer Required
  
  version integer Required
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/detection_engine/signals/migration_status

curl \
 --request GET https://localhost:5601/api/detection_engine/signals/migration_status?from=now-30d

Response examples (200)

{
  "indices": [
    {
      "index": ".siem-signals-default-000002",
      "version": 15,
      "migrations": [
        {
          "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
          "status": "pending",
          "updated": "2021-01-06T20:41:37.173Z",
          "version": 16
        }
      ],
      "is_outdated": true,
      "signal_versions": [
        {
          "count": 100,
          "version": 15
        },
        {
          "count": 87,
          "version": 16
        }
      ]
    },
    {
      "index": ".siem-signals-default-000003",
      "version": 16,
      "migrations": [],
      "is_outdated": false,
      "signal_versions": [
        {
          "count": 54,
          "version": 16
        }
      ]
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Create an endpoint exception list item

POST /api/endpoint_list/items

Create an endpoint exception list item, and associate it with the endpoint exception list.

application/json

Body Required

Exception list item's properties

comments array[object]
Array of comment fields:
- comment (string): Comments about the exception item.
Hide comments attributes Show comments attributes object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- updated_at string(date-time)
  
  Autogenerated date of last object update.
- updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
entries array[object] Required
Any of:
Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list object Required

Additional properties are allowed.

Hide list attributes Show list attributes object

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is list.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is exists.
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required Discriminator

Value is nested.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is wildcard.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
os_types array[string]

Use this field to specify the operating system.

Values are linux, macos, or windows.
tags array[string(nonempty)]

String array containing words and phrases to help categorize exception items.

Minimum length of each is 1.
type string Required

Value is simple.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows.
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
409 application/json

Endpoint list item already exists
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/endpoint_list/items

curl \
 --request POST https://localhost:5601/api/endpoint_list/items \
 --header "Content-Type: application/json" \
 --data '{"comments":[{"comment":"string","created_at":"2025-05-04T09:42:00+00:00","created_by":"string","id":"string","updated_at":"2025-05-04T09:42:00+00:00","updated_by":"string"}],"description":"string","entries":[{"field":"string","operator":"excluded","type":"match","value":"string"}],"item_id":"simple_list_item","meta":{},"name":"string","os_types":["linux"],"tags":["string"],"type":"simple"}'

Request examples

{
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "item_id": "simple_list_item",
  "meta": {},
  "name": "string",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "type": "simple"
}

Response examples (200)

{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2025-05-04T09:42:00+00:00",
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "meta": {},
  "name": "string",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (409)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Delete an endpoint exception list item

DELETE /api/endpoint_list/items

Delete an endpoint exception list item using the id or item_id field.

Query parameters

id string(nonempty)

Either id or item_id must be specified

Minimum length is 1.
item_id string(nonempty)

Either id or item_id must be specified

Minimum length is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows.
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

Endpoint list item not found
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/endpoint_list/items

curl \
 --request DELETE https://localhost:5601/api/endpoint_list/items

Response examples (200)

{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2025-05-04T09:42:00+00:00",
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "meta": {},
  "name": "string",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Get endpoint exception list items

GET /api/endpoint_list/items/_find

Get a list of all endpoint exception list items.

Query parameters

filter string(nonempty)

Filters the returned results according to the value of the specified field, using the <field name>:<field value> syntax.

Minimum length is 1.
page integer

The page number to return

Minimum value is 0.
per_page integer

The number of exception list items to return per page

Minimum value is 0.
sort_field string(nonempty)

Determines which field is used to sort the results

Minimum length is 1.
sort_order string

Determines the sort order, which can be desc or asc

Values are desc or asc.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
  
  comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string Required
  
  Autogenerated value - user that created object.
  
  description string Required
  
  Describes the exception list.
  
  entries array[object] Required
  
  Any of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
  
  id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
  
  item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single.
  
  os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows.
  
  tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1.
  
  tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
  
  type string Required
  
  Value is simple.
  
  updated_at string(date-time) Required
  
  Autogenerated date of last object update.
  
  updated_by string Required
  
  Autogenerated value - user that last updated object.
- page integer Required
  
  Minimum value is 0.
- per_page integer Required
  
  Minimum value is 0.
- pit string
- total integer Required
  
  Minimum value is 0.
400 application/json

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

Endpoint list not found
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/endpoint_list/items/_find

curl \
 --request GET https://localhost:5601/api/endpoint_list/items/_find

Response examples (200)

{
  "data": [
    {
      "_version": "string",
      "comments": [
        {
          "comment": "string",
          "created_at": "2025-05-04T09:42:00+00:00",
          "created_by": "string",
          "id": "string",
          "updated_at": "2025-05-04T09:42:00+00:00",
          "updated_by": "string"
        }
      ],
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "description": "string",
      "entries": [
        {
          "field": "string",
          "operator": "excluded",
          "type": "match",
          "value": "string"
        }
      ],
      "expire_time": "2025-05-04T09:42:00+00:00",
      "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
      "item_id": "simple_list_item",
      "list_id": "simple_list",
      "meta": {},
      "name": "string",
      "namespace_type": "agnostic",
      "os_types": [
        "linux"
      ],
      "tags": [
        "string"
      ],
      "tie_breaker_id": "string",
      "type": "simple",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "page": 42,
  "per_page": 42,
  "pit": "string",
  "total": 42
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

GET /api/endpoint/action_status

Get the status of response actions for the specified agent IDs.

Query parameters

query object Required

Additional properties are allowed.
Hide query attribute Show query attribute object
- agent_ids array[string] | string
  
  One of:
  array-1 array[string] string-2 string
  
  At least 1 but not more than 50 elements. Minimum length of each is 1.

Responses

200 application/json

OK
Hide response attribute Show response attribute object
- body object Required
  
  Additional properties are allowed.
  
  Hide body attribute Show body attribute object
  
  data object Required
  
  Additional properties are allowed.
  
  Hide data attributes Show data attributes object
  
  agent_id string Required
  
  Agent ID
  
  pending_actions object Required
  
  One of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  execute integer
  
  get-file integer
  
  isolate integer
  
  kill-process integer
  
  running-processes integer
  
  scan integer
  
  suspend-process integer
  
  unisolate integer
  
  upload integer

GET /api/endpoint/action_status

curl \
 --request GET https://localhost:5601/api/endpoint/action_status?query=%7B%7D

Response examples (200)

{
  "body": {
    "data": {
      "agent_id": "string",
      "pending_actions": {
        "execute": 42,
        "get-file": 42,
        "isolate": 42,
        "kill-process": 42,
        "running-processes": 42,
        "scan": 42,
        "suspend-process": 42,
        "unisolate": 42,
        "upload": 42
      }
    }
  }
}

params object

payload object | null Required

alertId string | array[string]

index string | array[string]

Get cases for an alert Technical preview

Body Required

agents array[string] | string Required

item string | object Required

Body object

inputs array[object] | object Required

vars object

inputs array[object] | object Required

vars object