Get rule details

GET /api/alerting/rule/{id}

Path parameters

id string Required

The identifier for the rule.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id}

curl \
 --request GET https://localhost:5601/api/alerting/rule/{id}

Response examples (200)

{
  "actions": [
    {
      "alerts_filter": {
        "query": {
          "dsl": "string",
          "filters": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {},
              "query": {}
            }
          ],
          "kql": "string"
        },
        "timeframe": {
          "days": [
            1
          ],
          "hours": {
            "end": "string",
            "start": "string"
          },
          "timezone": "string"
        }
      },
      "connector_type_id": "string",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": true,
        "throttle": "string"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "use_alert_data_for_template": true,
      "uuid": "string"
    }
  ],
  "active_snoozes": [
    "string"
  ],
  "alert_delay": {
    "active": 42.0
  },
  "api_key_created_by_user": true,
  "api_key_owner": "string",
  "consumer": "string",
  "created_at": "string",
  "created_by": "string",
  "enabled": true,
  "execution_status": {
    "error": {
      "message": "string",
      "reason": "read"
    },
    "last_duration": 42.0,
    "last_execution_date": "string",
    "status": "ok",
    "warning": {
      "message": "string",
      "reason": "maxExecutableActions"
    }
  },
  "flapping": {
    "look_back_window": 42.0,
    "status_change_threshold": 42.0
  },
  "id": "string",
  "is_snoozed_until": "string",
  "last_run": {
    "alerts_count": {
      "active": 42.0,
      "ignored": 42.0,
      "new": 42.0,
      "recovered": 42.0
    },
    "outcome": "succeeded",
    "outcome_msg": [
      "string"
    ],
    "outcome_order": 42.0,
    "warning": "read"
  },
  "mapped_params": {},
  "monitoring": {
    "run": {
      "calculated_metrics": {
        "p50": 42.0,
        "p95": 42.0,
        "p99": 42.0,
        "success_ratio": 42.0
      },
      "history": [
        {
          "duration": 42.0,
          "outcome": "succeeded",
          "success": true,
          "timestamp": 42.0
        }
      ],
      "last_run": {
        "metrics": {
          "duration": 42.0,
          "gap_duration_s": 42.0,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_alerts_created": 42.0,
          "total_alerts_detected": 42.0,
          "total_indexing_duration_ms": 42.0,
          "total_search_duration_ms": 42.0
        },
        "timestamp": "string"
      }
    }
  },
  "mute_all": true,
  "muted_alert_ids": [
    "string"
  ],
  "name": "string",
  "next_run": "string",
  "notify_when": "onActionGroupChange",
  "params": {},
  "revision": 42.0,
  "rule_type_id": "string",
  "running": true,
  "schedule": {
    "interval": "string"
  },
  "scheduled_task_id": "string",
  "snooze_schedule": [
    {
      "duration": 42.0,
      "id": "string",
      "rRule": {
        "byhour": [
          42.0
        ],
        "byminute": [
          42.0
        ],
        "bymonth": [
          42.0
        ],
        "bymonthday": [
          42.0
        ],
        "bysecond": [
          42.0
        ],
        "bysetpos": [
          42.0
        ],
        "byweekday": [
          "string"
        ],
        "byweekno": [
          42.0
        ],
        "byyearday": [
          42.0
        ],
        "count": 42.0,
        "dtstart": "string",
        "freq": 0,
        "interval": 42.0,
        "tzid": "string",
        "until": "string",
        "wkst": "MO"
      },
      "skipRecurrences": [
        "string"
      ]
    }
  ],
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updated_at": "string",
  "updated_by": "string",
  "view_in_app_relative_url": "string"
}

Update a rule

PUT /api/alerting/rule/{id}

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

application/json

Body

actions array[object]

Default value is [] (empty).
Hide actions attributes Show actions attributes object
- alerts_filter object
  
  Additional properties are NOT allowed.
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
- frequency object
  
  Additional properties are NOT allowed.
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
- id string Required
  
  The identifier for the connector saved object.
- params object
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Default value is {} (empty). Additional properties are allowed.
- use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
- uuid string
  
  A universally unique identifier (UUID) for the action.
alert_delay object

Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

Additional properties are NOT allowed.
Hide alert_delay attribute Show alert_delay attribute object
- active number Required
  
  The number of consecutive runs that must meet the rule conditions.
flapping object | null

When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

Additional properties are NOT allowed.
Hide flapping attributes Show flapping attributes object | null
- look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
- status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
name string Required

The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when string | null

Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
params object

The parameters for the rule.

Default value is {} (empty). Additional properties are allowed.
schedule object Required

Additional properties are NOT allowed.
Hide schedule attribute Show schedule attribute object
- interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
tags array[string]

The tags for the rule.

Default value is [] (empty).
throttle string | null

Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.
409

Indicates that the rule has already been updated by another user.

PUT /api/alerting/rule/{id}

curl \
 --request PUT https://localhost:5601/api/alerting/rule/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"new name","tags":[],"params":{"index":[".updated-index"],"aggType":"avg","groupBy":"top","aggField":"sheet.version","termSize":6,"termField":"name.keyword","threshold":[1000],"timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m","thresholdComparator":"\u003e"},"actions":[{"id":"96b668d0-a1b6-11ed-afdf-d39a49596974","group":"threshold met","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"frequency":{"summary":false,"notify_when":"onActionGroupChange"}}],"schedule":{"interval":"1m"}}'

Request example

Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.

{
  "name": "new name",
  "tags": [],
  "params": {
    "index": [
      ".updated-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "schedule": {
    "interval": "1m"
  }
}

Response examples (200)

The response for successfully updating an index threshold rule.

{
  "id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
  "name": "new name",
  "tags": [],
  "params": {
    "index": [
      ".updated-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    }
  },
  "mute_all": false,
  "next_run": "2024-03-26T23:23:51.316Z",
  "revision": 1,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2024-03-26T23:13:20.985Z",
  "created_by": "elastic",
  "updated_at": "2024-03-26T23:22:59.949Z",
  "updated_by": "elastic",
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 52,
    "last_execution_date": "2024-03-26T23:22:51.390Z"
  },
  "scheduled_task_id": "4c5eda00-e74f-11ec-b72f-5b18752ff9ea",
  "api_key_created_by_user": false
}

Delete a rule

DELETE /api/alerting/rule/{id}

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id}

curl \
 --request DELETE https://localhost:5601/api/alerting/rule/{id} \
 --header "kbn-xsrf: true"

Disable a rule

POST /api/alerting/rule/{id}/_disable

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

application/json

Body

untrack boolean

Defines whether this rule's alerts should be untracked.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable

curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "untrack": true
}

Enable a rule

POST /api/alerting/rule/{id}/_enable

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_enable

curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_enable \
 --header "kbn-xsrf: true"

Update the API key for a rule

POST /api/alerting/rule/{id}/_update_api_key

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.
409

Indicates that the rule has already been updated by another user.

POST /api/alerting/rule/{id}/_update_api_key

curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_update_api_key \
 --header "kbn-xsrf: true"

Create or update agent configuration

PUT /api/apm/settings/agent-configuration

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

overwrite boolean

If the config exists ?overwrite=true is required

application/json

Body Required

agent_name string

Agent name
service object Required

Service

Additional properties are allowed.
Hide service attributes Show service attributes object
- environment string
  
  Environment
- name string
  
  Name
settings object Required

Agent configuration settings
Hide settings attribute Show settings attribute object
- * string Additional properties

Responses

200 application/json

Successful response

Additional properties are NOT allowed.
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

PUT /api/apm/settings/agent-configuration

curl \
 --request PUT https://localhost:5601/api/apm/settings/agent-configuration \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'

Request examples

# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "agent_name": "string",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}

Response examples (200)

{}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Delete agent configuration

DELETE /api/apm/settings/agent-configuration

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body Required

environment string

Environment
name string

Name

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- result string
  
  Result
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

DELETE /api/apm/settings/agent-configuration

curl \
 --request DELETE https://localhost:5601/api/apm/settings/agent-configuration \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"environment":"prod","name":"node"}'

Request examples

# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "environment": "prod",
  "name": "node"
}

Response examples (200)

{
  "result": "string"
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Lookup single agent configuration

POST /api/apm/settings/agent-configuration/search

This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body Required

etag string

If etags match then applied_by_agent field will be set to true
mark_as_applied_by_agent boolean

markAsAppliedByAgent=true means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags
service object Required

Service

Additional properties are allowed.
Hide service attributes Show service attributes object
- environment string
  
  Environment
- name string
  
  Name

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _id string
  
  Identifier
- _index string
  
  Index
- _score number
  
  Score
- _source object
  
  Agent configuration
  
  Additional properties are allowed.
  
  Hide _source attributes Show _source attributes object
  
  @timestamp number Required
  
  Timestamp
  
  agent_name string
  
  Agent name
  
  applied_by_agent boolean
  
  Applied by agent
  
  etag string Required
  
  Etag
  
  service object Required
  
  Service
  
  Additional properties are allowed.
  
  Hide service attributes Show service attributes object
  
  environment string
  
  Environment
  
  name string
  
  Name
  
  settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

POST /api/apm/settings/agent-configuration/search

curl \
 --request POST https://localhost:5601/api/apm/settings/agent-configuration/search \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'

Request examples

# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "mark_as_applied_by_agent": true,
  "service": {
    "environment": "prod",
    "name": "node"
  }
}

Response examples (200)

{
  "_id": "string",
  "_index": "string",
  "_score": 42.0,
  "_source": {
    "@timestamp": 1730194190636,
    "agent_name": "string",
    "applied_by_agent": true,
    "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
    "service": {
      "environment": "prod",
      "name": "node"
    },
    "settings": {
      "additionalProperty1": "string",
      "additionalProperty2": "string"
    }
  }
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get single agent configuration

GET /api/apm/settings/agent-configuration/view

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

name string

Service name
environment string

Service environment

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- id string Required
- @timestamp number Required
  
  Timestamp
- agent_name string
  
  Agent name
- applied_by_agent boolean
  
  Applied by agent
- etag string Required
  
  Etag
- service object Required
  
  Service
  
  Additional properties are allowed.
  
  Hide service attributes Show service attributes object
  
  environment string
  
  Environment
  
  name string
  
  Name
- settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration/view

curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/view \
 --header "elastic-api-version: 2023-10-31"

Response examples (200)

{
  "id": "string",
  "@timestamp": 1730194190636,
  "agent_name": "string",
  "applied_by_agent": true,
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get source maps

GET /api/apm/sourcemaps

Returns an array of Fleet artifacts, including source map uploads.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

page number

Page number
perPage number

Number of records per page

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- artifacts array[object]
  
  Artifacts
  
  Hide artifacts attributes Show artifacts attributes object
  
  body object
  
  Additional properties are allowed.
  
  Hide body attributes Show body attributes object
  
  bundleFilepath string
  
  serviceName string
  
  serviceVersion string
  
  sourceMap object
  
  Additional properties are allowed.
  
  Hide sourceMap attributes Show sourceMap attributes object
  
  file string
  
  mappings string
  
  sourceRoot string
  
  sources array[string]
  
  sourcesContent array[string]
  
  version number
  
  compressionAlgorithm string
  
  Compression Algorithm
  
  created string
  
  Created date
  
  decodedSha256 string
  
  Decoded SHA-256
  
  decodedSize number
  
  Decoded size
  
  encodedSha256 string
  
  Encoded SHA-256
  
  encodedSize number
  
  Encoded size
  
  encryptionAlgorithm string
  
  Encryption Algorithm
  
  id string
  
  Identifier
  
  identifier string
  
  Identifier
  
  packageName string
  
  Package name
  
  relative_url string
  
  Relative URL
  
  type string
  
  Type
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
501 application/json

Not Implemented response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/sourcemaps

curl \
 --request GET https://localhost:5601/api/apm/sourcemaps \
 --header "elastic-api-version: 2023-10-31"

Response examples (200)

{
  "artifacts": [
    {
      "body": {
        "bundleFilepath": "string",
        "serviceName": "string",
        "serviceVersion": "string",
        "sourceMap": {
          "file": "string",
          "mappings": "string",
          "sourceRoot": "string",
          "sources": [
            "string"
          ],
          "sourcesContent": [
            "string"
          ],
          "version": 42.0
        }
      },
      "compressionAlgorithm": "string",
      "created": "string",
      "decodedSha256": "string",
      "decodedSize": 42.0,
      "encodedSha256": "string",
      "encodedSize": 42.0,
      "encryptionAlgorithm": "string",
      "id": "string",
      "identifier": "string",
      "packageName": "string",
      "relative_url": "string",
      "type": "string"
    }
  ]
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (500)

{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

Response examples (501)

{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Query parameters

ids array[string] Required

The cases that you want to removed. All non-ASCII characters must be URL encoded.

Responses

204

Indicates a successful call.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

DELETE /api/cases

curl \
 --request DELETE https://localhost:5601/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43 \
 --header "kbn-xsrf: string"

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case connectors

GET /api/cases/configure/connectors/_find

Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actionTypeId string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
- config object
  
  Additional properties are allowed.
  
  Hide config attributes Show config attributes object
  
  apiUrl string
  
  projectKey string
- id string
- isDeprecated boolean
- isMissingSecrets boolean
- isPreconfigured boolean
- name string
- referencedByCount integer
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/configure/connectors/_find

curl \
 --request GET https://localhost:5601/api/cases/configure/connectors/_find

Response examples (200)

[
  {
    "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "name": "my-Jira",
    "config": {
      "apiUrl": "https://elastic.atlassian.net/",
      "projectKey": "ES"
    },
    "actionTypeId": ".jira",
    "isDeprecated": false,
    "isPreconfigured": false,
    "isMissingSecrets": false,
    "referencedByCount": 0
  }
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case tags

GET /api/cases/tags

Aggregates and returns a list of case tags. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.

Not more than 10000 elements.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/tags

curl \
 --request GET https://localhost:5601/api/cases/tags

Response examples (200)

[
  "observability",
  "security",
  "tag 1",
  "tag 2"
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Update a connector

PUT /api/actions/connector/{id}

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

application/json

Body

name string Required

The display name for the connector.
config object

The connector configuration details.
One of:
bedrock_config object crowdstrike_config object d3security_config object email_config object gemini_config object resilient_config object index_config object jira_config object genai_azure_config object genai_openai_config object opsgenie_config object pagerduty_config object sentinelone_config object servicenow_config object servicenow_itom_config object slack_api_config object swimlane_config object thehive_config object tines_config object torq_config object webhook_config object cases_webhook_config object xmatters_config object
Defines properties for connectors when type is .bedrock.
Hide attributes Show attributes

apiUrl string Required

The Amazon Bedrock request URL.

defaultModel string

The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.

Default value is anthropic.claude-3-5-sonnet-20240620-v1:0.
Defines config properties for connectors when type is .crowdstrike.
Hide attribute Show attribute

url string Required

The CrowdStrike tenant URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .d3security.
Hide attribute Show attribute

url string Required

The D3 Security API request URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .email.
Hide attributes Show attributes

clientId string | null

The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If service is exchange_server, this property is required.

from string Required

The from address for all emails sent by the connector. It must be specified in user@host-name format.

hasAuth boolean

Specifies whether a user and password are required inside the secrets configuration.

Default value is true.

host string

The host name of the service provider. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If service is other, this property must be defined.

oauthTokenUrl string | null

port integer

The port to connect to on the service provider. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If service is other, this property must be defined.

secure boolean

Specifies whether the connection to the service provider will use TLS. If the service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored.

service string

The name of the email service.

Values are elastic_cloud, exchange_server, gmail, other, outlook365, or ses.

tenantId string | null

The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If service is exchange_server, this property is required.
Defines properties for connectors when type is .gemini.
Hide attributes Show attributes

apiUrl string Required

The Google Gemini request URL.

defaultModel string

The generative artificial intelligence model for Google Gemini to use.

Default value is gemini-1.5-pro-002.

gcpRegion string Required

The GCP region where the Vertex AI endpoint enabled.

gcpProjectID string Required

The Google ProjectID that has Vertex AI endpoint enabled.
Defines properties for connectors when type is .resilient.
Hide attributes Show attributes

apiUrl string Required

The IBM Resilient instance URL.

orgId string Required

The IBM Resilient organization ID.
Defines properties for connectors when type is .index.
Hide attributes Show attributes

executionTimeField string | null

A field that indicates when the document was indexed.

index string Required

The Elasticsearch index to be written to.

refresh boolean

The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs.

Default value is false.
Defines properties for connectors when type is .jira.
Hide attributes Show attributes

apiUrl string Required

The Jira instance URL.

projectKey string Required

The Jira project key.
Defines properties for connectors when type is .gen-ai and the API provider is Azure OpenAI.
Hide attributes Show attributes

apiProvider string Required

The OpenAI API provider.

Value is Azure OpenAI.

apiUrl string Required

The OpenAI API endpoint.
Defines properties for connectors when type is .gen-ai and the API provider is OpenAI.
Hide attributes Show attributes

apiProvider string Required

The OpenAI API provider.

Value is OpenAI.

apiUrl string Required

The OpenAI API endpoint.

defaultModel string

The default model to use for requests.
Defines properties for connectors when type is .opsgenie.
Hide attribute Show attribute

apiUrl string Required

The Opsgenie URL. For example, https://api.opsgenie.com or https://api.eu.opsgenie.com. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .pagerduty.
Hide attribute Show attribute

apiUrl string | null

The PagerDuty event URL.
Defines properties for connectors when type is .sentinelone.
Hide attribute Show attribute

url string Required

The SentinelOne tenant URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .servicenow.
Hide attributes Show attributes

apiUrl string Required

The ServiceNow instance URL.

clientId string

The client ID assigned to your OAuth application. This property is required when isOAuth is true.

isOAuth boolean

The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).

Default value is false.

jwtKeyId string

The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when isOAuth is true.

userIdentifierValue string

The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is Email, the user identifier should be the user's email address. This property is required when isOAuth is true.

usesTableApi boolean

Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to false, the Elastic application should be installed in ServiceNow.

Default value is true.
Defines properties for connectors when type is .servicenow-itom.
Hide attributes Show attributes

apiUrl string Required

The ServiceNow instance URL.

clientId string

The client ID assigned to your OAuth application. This property is required when isOAuth is true.

isOAuth boolean

The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).

Default value is false.

jwtKeyId string

The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when isOAuth is true.

userIdentifierValue string

The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is Email, the user identifier should be the user's email address. This property is required when isOAuth is true.
Defines properties for connectors when type is .slack_api.
Hide attribute Show attribute

allowedChannels array[object]

A list of valid Slack channels.

Hide allowedChannels attributes Show allowedChannels attributes object

id string Required

The Slack channel ID.

Minimum length is 1.

name string Required

The Slack channel name.

Minimum length is 1.
Defines properties for connectors when type is .swimlane.
Hide attributes Show attributes

apiUrl string Required

The Swimlane instance URL.

appId string Required

The Swimlane application ID.

connectorType string Required

The type of connector. Valid values are all, alerts, and cases.

Values are all, alerts, or cases.

mappings object

The field mapping.

Additional properties are allowed.

Hide mappings attributes Show mappings attributes object

alertIdConfig object

Mapping for the alert ID.

Additional properties are allowed.

Hide alertIdConfig attributes Show alertIdConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

caseIdConfig object

Mapping for the case ID.

Additional properties are allowed.

Hide caseIdConfig attributes Show caseIdConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

caseNameConfig object

Mapping for the case name.

Additional properties are allowed.

Hide caseNameConfig attributes Show caseNameConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

commentsConfig object

Mapping for the case comments.

Additional properties are allowed.

Hide commentsConfig attributes Show commentsConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

descriptionConfig object

Mapping for the case description.

Additional properties are allowed.

Hide descriptionConfig attributes Show descriptionConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

ruleNameConfig object

Mapping for the name of the alert's rule.

Additional properties are allowed.

Hide ruleNameConfig attributes Show ruleNameConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.

severityConfig object

Mapping for the severity.

Additional properties are allowed.

Hide severityConfig attributes Show severityConfig attributes object

fieldType string Required

The type of field in Swimlane.

id string Required

The identifier for the field in Swimlane.

key string Required

The key for the field in Swimlane.

name string Required

The name of the field in Swimlane.
Defines configuration properties for connectors when type is .thehive.
Hide attributes Show attributes

organisation string

The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key.

url string Required

The instance URL in TheHive. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines properties for connectors when type is .tines.
Hide attribute Show attribute

url string Required

The Tines tenant URL. If you are using the xpack.actions.allowedHosts setting, make sure this hostname is added to the allowed hosts.
Defines properties for connectors when type is .torq.
Hide attribute Show attribute

webhookIntegrationUrl string Required

The endpoint URL of the Elastic Security integration in Torq.
Defines properties for connectors when type is .webhook.
Hide attributes Show attributes

authType string | null

The type of authentication to use: basic, SSL, or none.

Values are webhook-authentication-basic or webhook-authentication-ssl.

ca string

A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.

certType string

If the authType is webhook-authentication-ssl, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.

Values are ssl-crt-key or ssl-pfx.

hasAuth boolean

If true, a username and password for login type authentication must be provided.

Default value is true.

headers object | null

A set of key-value pairs sent as headers with the request.

Additional properties are allowed.

method string

The HTTP request method, either post or put.

Values are post or put. Default value is post.

url string

The request URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

verificationMode string

Controls the verification of certificates. Use full to validate that the certificate has an issue date within the not_before and not_after dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use certificate to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use none to skip certificate validation.

Values are certificate, full, or none. Default value is full.
Defines properties for connectors when type is .cases-webhook.
Hide attributes Show attributes

authType string | null

The type of authentication to use: basic, SSL, or none.

Values are webhook-authentication-basic or webhook-authentication-ssl.

ca string

A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.

certType string

If the authType is webhook-authentication-ssl, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.

Values are ssl-crt-key or ssl-pfx.

createCommentJson string

A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is case.comment. Due to Mustache template variables (the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

createCommentMethod string

The REST API HTTP request method to create a case comment in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is put.

createCommentUrl string

The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

createIncidentJson string Required

A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are case.title and case.description. Due to Mustache template variables (which is the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.

createIncidentMethod string

The REST API HTTP request method to create a case in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is post.

createIncidentResponseKey string Required

The JSON key in the create external case response that contains the case ID.

createIncidentUrl string Required

The REST API URL to create a case in the third-party system. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

getIncidentResponseExternalTitleKey string Required

The JSON key in get external case response that contains the case title.

getIncidentUrl string Required

The REST API URL to get the case by ID from the third-party system. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.

hasAuth boolean

If true, a username and password for login type authentication must be provided.

Default value is true.

headers string

A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods.

updateIncidentJson string Required

The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are case.title and case.description. Due to Mustache template variables (which is the text enclosed in triple braces, for example, {{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.

updateIncidentMethod string

The REST API HTTP request method to update the case in the third-party system. Valid values are patch, post, and put.

Values are patch, post, or put. Default value is put.

updateIncidentUrl string Required

The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.

verificationMode string

Controls the verification of certificates. Use full to validate that the certificate has an issue date within the not_before and not_after dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use certificate to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use none to skip certificate validation.

Values are certificate, full, or none. Default value is full.

viewIncidentUrl string Required

The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL.
Defines properties for connectors when type is .xmatters.
Hide attributes Show attributes

configUrl string | null

The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when usesBasic is true.

usesBasic boolean

Specifies whether the connector uses HTTP basic authentication (true) or URL authentication (false).

Default value is true.
secrets object
One of:
bedrock_secrets object crowdstrike_secrets object d3security_secrets object email_secrets object gemini_secrets object resilient_secrets object jira_secrets object teams_secrets object genai_secrets object opsgenie_secrets object pagerduty_secrets object sentinelone_secrets object servicenow_secrets object slack_api_secrets object swimlane_secrets object thehive_secrets object tines_secrets object torq_secrets object webhook_secrets object cases_webhook_secrets object xmatters_secrets object
Defines secrets for connectors when type is .bedrock.
Hide attributes Show attributes

accessKey string Required

The AWS access key for authentication.

secret string Required

The AWS secret for authentication.
Defines secrets for connectors when type is .crowdstrike.
Hide attributes Show attributes

clientId string Required

The CrowdStrike API client identifier.

clientSecret string Required

The CrowdStrike API client secret to authenticate the clientId.
Defines secrets for connectors when type is .d3security.
Hide attribute Show attribute

token string Required

The D3 Security token.
Defines secrets for connectors when type is .email.
Hide attributes Show attributes

clientSecret string

The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If service is exchange_server, this property is required.

password string

The password for HTTP basic authentication. If hasAuth is set to true, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true, this property is required.
Defines secrets for connectors when type is .gemini.
Hide attribute Show attribute

credentialsJson string Required

The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it.
Defines secrets for connectors when type is .resilient.
Hide attributes Show attributes

apiKeyId string Required

The authentication key ID for HTTP Basic authentication.

apiKeySecret string Required

The authentication key secret for HTTP Basic authentication.
Defines secrets for connectors when type is .jira.
Hide attributes Show attributes

apiToken string Required

The Jira API authentication token for HTTP basic authentication.

email string Required

The account email for HTTP Basic authentication.
Defines secrets for connectors when type is .teams.
Hide attribute Show attribute

webhookUrl string Required

The URL of the incoming webhook. If you are using the xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
Defines secrets for connectors when type is .gen-ai.
Hide attribute Show attribute

apiKey string

The OpenAI API key.
Defines secrets for connectors when type is .opsgenie.
Hide attribute Show attribute

apiKey string Required

The Opsgenie API authentication key for HTTP Basic authentication.
Defines secrets for connectors when type is .pagerduty.
Hide attribute Show attribute

routingKey string Required

A 32 character PagerDuty Integration Key for an integration on a service.
Defines secrets for connectors when type is .sentinelone.
Hide attribute Show attribute

token string Required

The A SentinelOne API token.
Defines secrets for connectors when type is .servicenow, .servicenow-sir, or .servicenow-itom.
Hide attributes Show attributes

clientSecret string

The client secret assigned to your OAuth application. This property is required when isOAuth is true.

password string

The password for HTTP basic authentication. This property is required when isOAuth is false.

privateKey string

The RSA private key that you created for use in ServiceNow. This property is required when isOAuth is true.

privateKeyPassword string

The password for the RSA private key. This property is required when isOAuth is true and you set a password on your private key.

username string

The username for HTTP basic authentication. This property is required when isOAuth is false.
Defines secrets for connectors when type is .slack.
Hide attribute Show attribute

token string Required

Slack bot user OAuth token.
Defines secrets for connectors when type is .swimlane.
Hide attribute Show attribute

apiToken string

Swimlane API authentication token.
Defines secrets for connectors when type is .thehive.
Hide attribute Show attribute

apiKey string Required

The API key for authentication in TheHive.
Defines secrets for connectors when type is .tines.
Hide attributes Show attributes

email string Required

The email used to sign in to Tines.

token string Required

The Tines API token.
Defines secrets for connectors when type is .torq.
Hide attribute Show attribute

token string Required

The secret of the webhook authentication header.
Defines secrets for connectors when type is .webhook.
Hide attributes Show attributes

crt string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the CRT or CERT file.

key string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the KEY file.

pfx string

If authType is webhook-authentication-ssl and certType is ssl-pfx, it is a base64 encoded version of the PFX or P12 file.

password string

The password for HTTP basic authentication or the passphrase for the SSL certificate files. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.
Hide attributes Show attributes

crt string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the CRT or CERT file.

key string

If authType is webhook-authentication-ssl and certType is ssl-crt-key, it is a base64 encoded version of the KEY file.

pfx string

If authType is webhook-authentication-ssl and certType is ssl-pfx, it is a base64 encoded version of the PFX or P12 file.

password string

The password for HTTP basic authentication. If hasAuth is set to true and and authType is webhook-authentication-basic, this property is required.

user string

The username for HTTP basic authentication. If hasAuth is set to true and authType is webhook-authentication-basic, this property is required.
Defines secrets for connectors when type is .xmatters.
Hide attributes Show attributes

password string

A user name for HTTP basic authentication. It is applicable only when usesBasic is true.

secretsUrl string

The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when usesBasic is false.

user string

A password for HTTP basic authentication. It is applicable only when usesBasic is true.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

PUT /api/actions/connector/{id}

curl \
 --request PUT https://localhost:5601/api/actions/connector/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"updated-connector","config":{"index":"updated-index"}}'

Request example

{
  "name": "updated-connector",
  "config": {
    "index": "updated-index"
  }
}

Response examples (200)

{
  "config": {},
  "connector_type_id": "string",
  "id": "string",
  "is_deprecated": true,
  "is_missing_secrets": true,
  "is_preconfigured": true,
  "is_system_action": true,
  "name": "string"
}

Update an existing dashboard Technical Preview

PUT /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

A unique identifier for the dashboard.

application/json

Body

attributes object Required

Additional properties are NOT allowed.
Hide attributes attributes Show attributes attributes object
- controlGroupInput object
  
  Additional properties are NOT allowed.
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
- description string
  
  A short description.
  
  Default value is empty.
- kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
- options object Required
  
  Additional properties are NOT allowed.
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
- panels array[object]
  
  Default value is [] (empty).
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string
  
  The unique identifier of the panel
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string
  
  The unique ID of the panel.
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
- refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
- timeFrom string
  
  An ISO string indicating when to restore time from
- timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
- timeTo string
  
  An ISO string indicating when to restore time from
- title string Required
  
  A human-readable title for the dashboard
- version number Deprecated
references array[object]
Hide references attributes Show references attributes object
- id string Required
- name string Required
- type string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  attributes object Required
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  controlGroupInput object
  
  Additional properties are NOT allowed.
  
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
  
  description string
  
  A short description.
  
  Default value is empty.
  
  kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
  
  options object Required
  
  Additional properties are NOT allowed.
  
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
  
  panels array[object]
  
  Default value is [] (empty).
  
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string Required
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string Required
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
  
  refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
  
  timeFrom string
  
  An ISO string indicating when to restore time from
  
  timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
  
  timeTo string
  
  An ISO string indicating when to restore time from
  
  title string Required
  
  A human-readable title for the dashboard
  
  version number Deprecated
  
  createdAt string
  
  createdBy string
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  error string Required
  
  message string Required
  
  metadata object
  
  Additional properties are allowed.
  
  statusCode number Required
  
  id string Required
  
  managed boolean
  
  namespaces array[string]
  
  originId string
  
  references array[object] Required
  
  Hide references attributes Show references attributes object
  
  id string Required
  
  name string Required
  
  type string Required
  
  type string Required
  
  updatedAt string
  
  updatedBy string
  
  version string

PUT /api/dashboards/dashboard/{id}

curl \
 --request PUT https://localhost:5601/api/dashboards/dashboard/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}]}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "attributes": {
    "controlGroupInput": {
      "autoApplySelections": true,
      "chainingSystem": "HIERARCHICAL",
      "controls": [
        {
          "controlConfig": {},
          "grow": false,
          "id": "string",
          "order": 42.0,
          "type": "string",
          "width": "medium"
        }
      ],
      "enhancements": {},
      "ignoreParentSettings": {
        "ignoreFilters": false,
        "ignoreQuery": false,
        "ignoreTimerange": false,
        "ignoreValidations": false
      },
      "labelPosition": "oneLine"
    },
    "description": "",
    "kibanaSavedObjectMeta": {
      "searchSource": {
        "filter": [
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "alias": "string",
              "controlledBy": "string",
              "disabled": true,
              "field": "string",
              "group": "string",
              "index": "string",
              "isMultiIndex": true,
              "key": "string",
              "negate": true,
              "type": "string",
              "value": "string"
            },
            "query": {}
          }
        ],
        "query": {
          "language": "string",
          "query": "string"
        },
        "sort": [
          {}
        ],
        "type": "string"
      }
    },
    "options": {
      "hidePanelTitles": false,
      "syncColors": true,
      "syncCursor": true,
      "syncTooltips": true,
      "useMargins": true
    },
    "panels": [
      {
        "gridData": {
          "h": 15,
          "i": "string",
          "w": 24,
          "x": 42.0,
          "y": 42.0
        },
        "id": "string",
        "panelConfig": {
          "description": "string",
          "enhancements": {},
          "hidePanelTitles": true,
          "savedObjectId": "string",
          "title": "string",
          "version": "string"
        },
        "panelIndex": "string",
        "panelRefName": "string",
        "title": "string",
        "type": "string",
        "version": "string"
      }
    ],
    "refreshInterval": {
      "display": "string",
      "pause": true,
      "section": 42.0,
      "value": 42.0
    },
    "timeFrom": "string",
    "timeRestore": false,
    "timeTo": "string",
    "title": "string",
    "version": 42.0
  },
  "references": [
    {
      "id": "string",
      "name": "string",
      "type": "string"
    }
  ]
}

Response examples (200)

{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  }
}

Create a dashboard Technical Preview

POST /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string

A unique identifier for the dashboard.

application/json

Body

attributes object Required

Additional properties are NOT allowed.
Hide attributes attributes Show attributes attributes object
- controlGroupInput object
  
  Additional properties are NOT allowed.
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
- description string
  
  A short description.
  
  Default value is empty.
- kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
- options object Required
  
  Additional properties are NOT allowed.
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
- panels array[object]
  
  Default value is [] (empty).
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string
  
  The unique identifier of the panel
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string
  
  The unique ID of the panel.
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
- refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
- timeFrom string
  
  An ISO string indicating when to restore time from
- timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
- timeTo string
  
  An ISO string indicating when to restore time from
- title string Required
  
  A human-readable title for the dashboard
- version number Deprecated
references array[object]
Hide references attributes Show references attributes object
- id string Required
- name string Required
- type string Required
spaces array[string]

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  attributes object Required
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  controlGroupInput object
  
  Additional properties are NOT allowed.
  
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
  
  description string
  
  A short description.
  
  Default value is empty.
  
  kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
  
  options object Required
  
  Additional properties are NOT allowed.
  
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
  
  panels array[object]
  
  Default value is [] (empty).
  
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string Required
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string Required
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
  
  refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
  
  timeFrom string
  
  An ISO string indicating when to restore time from
  
  timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
  
  timeTo string
  
  An ISO string indicating when to restore time from
  
  title string Required
  
  A human-readable title for the dashboard
  
  version number Deprecated
  
  createdAt string
  
  createdBy string
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  error string Required
  
  message string Required
  
  metadata object
  
  Additional properties are allowed.
  
  statusCode number Required
  
  id string Required
  
  managed boolean
  
  namespaces array[string]
  
  originId string
  
  references array[object] Required
  
  Hide references attributes Show references attributes object
  
  id string Required
  
  name string Required
  
  type string Required
  
  type string Required
  
  updatedAt string
  
  updatedBy string
  
  version string

POST /api/dashboards/dashboard/{id}

curl \
 --request POST https://localhost:5601/api/dashboards/dashboard/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}],"spaces":["string"]}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "attributes": {
    "controlGroupInput": {
      "autoApplySelections": true,
      "chainingSystem": "HIERARCHICAL",
      "controls": [
        {
          "controlConfig": {},
          "grow": false,
          "id": "string",
          "order": 42.0,
          "type": "string",
          "width": "medium"
        }
      ],
      "enhancements": {},
      "ignoreParentSettings": {
        "ignoreFilters": false,
        "ignoreQuery": false,
        "ignoreTimerange": false,
        "ignoreValidations": false
      },
      "labelPosition": "oneLine"
    },
    "description": "",
    "kibanaSavedObjectMeta": {
      "searchSource": {
        "filter": [
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "alias": "string",
              "controlledBy": "string",
              "disabled": true,
              "field": "string",
              "group": "string",
              "index": "string",
              "isMultiIndex": true,
              "key": "string",
              "negate": true,
              "type": "string",
              "value": "string"
            },
            "query": {}
          }
        ],
        "query": {
          "language": "string",
          "query": "string"
        },
        "sort": [
          {}
        ],
        "type": "string"
      }
    },
    "options": {
      "hidePanelTitles": false,
      "syncColors": true,
      "syncCursor": true,
      "syncTooltips": true,
      "useMargins": true
    },
    "panels": [
      {
        "gridData": {
          "h": 15,
          "i": "string",
          "w": 24,
          "x": 42.0,
          "y": 42.0
        },
        "id": "string",
        "panelConfig": {
          "description": "string",
          "enhancements": {},
          "hidePanelTitles": true,
          "savedObjectId": "string",
          "title": "string",
          "version": "string"
        },
        "panelIndex": "string",
        "panelRefName": "string",
        "title": "string",
        "type": "string",
        "version": "string"
      }
    ],
    "refreshInterval": {
      "display": "string",
      "pause": true,
      "section": 42.0,
      "value": 42.0
    },
    "timeFrom": "string",
    "timeRestore": false,
    "timeTo": "string",
    "title": "string",
    "version": 42.0
  },
  "references": [
    {
      "id": "string",
      "name": "string",
      "type": "string"
    }
  ],
  "spaces": [
    "string"
  ]
}

Response examples (200)

{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  }
}

Create an agent policy

POST /api/fleet/agent_policies

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

sys_monitoring boolean

application/json

Body

advanced_settings object

Additional properties are NOT allowed.
Hide advanced_settings attributes Show advanced_settings attributes object
agent_features array[object]
Hide agent_features attributes Show agent_features attributes object
- enabled boolean Required
- name string Required
agentless object

Additional properties are NOT allowed.
Hide agentless attribute Show agentless attribute object
- resources object
  
  Additional properties are NOT allowed.
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
data_output_id string | null
description string
download_source_id string | null
fleet_server_host_id string | null
force boolean
global_data_tags array[object]

User defined data tags that are added to all of the inputs. The values can be strings or numbers.
Hide global_data_tags attributes Show global_data_tags attributes object
- name string Required
- value string | number Required
  
  Any of:
  string-1 string number-2 number
has_fleet_server boolean
id string
inactivity_timeout number

Minimum value is 0. Default value is 1209600.
is_default boolean
is_default_fleet_server boolean
is_managed boolean
is_protected boolean
keep_monitoring_alive boolean | null

When set to true, monitoring will be enabled but logs/metrics collection will be disabled

Default value is false.
monitoring_diagnostics object

Additional properties are NOT allowed.
Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
- limit object
  
  Additional properties are NOT allowed.
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
- uploader object
  
  Additional properties are NOT allowed.
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
monitoring_enabled array[string]

Values are logs, metrics, or traces.
monitoring_http object

Additional properties are NOT allowed.
Hide monitoring_http attributes Show monitoring_http attributes object
- buffer object
  
  Additional properties are NOT allowed.
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
- enabled boolean
- host string
- port number
  
  Minimum value is 0, maximum value is 65353.
monitoring_output_id string | null
monitoring_pprof_enabled boolean
name string Required

Minimum length is 1.
namespace string Required

Minimum length is 1.
overrides object | null

Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.

Additional properties are allowed.
required_versions array[object] | null
Hide required_versions attributes Show required_versions attributes object
- percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
- version string Required
  
  Target version for automatic agent upgrade
space_ids array[string]
supports_agentless boolean | null

Indicates whether the agent policy supports agentless integrations.

Default value is false.
unenroll_timeout number

Minimum value is 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  advanced_settings object
  
  Additional properties are NOT allowed.
  
  Hide advanced_settings attributes Show advanced_settings attributes object
  
  agent_download_target_directory
  
  agent_download_timeout
  
  agent_limits_go_max_procs
  
  agent_logging_files_interval
  
  agent_logging_files_keepfiles
  
  agent_logging_files_rotateeverybytes
  
  agent_logging_level
  
  agent_logging_metrics_period
  
  agent_logging_to_files
  
  agent_features array[object]
  
  Hide agent_features attributes Show agent_features attributes object
  
  enabled boolean Required
  
  name string Required
  
  agentless object
  
  Additional properties are NOT allowed.
  
  Hide agentless attribute Show agentless attribute object
  
  resources object
  
  Additional properties are NOT allowed.
  
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
  
  agents number
  
  data_output_id string | null
  
  description string
  
  download_source_id string | null
  
  fleet_server_host_id string | null
  
  global_data_tags array[object]
  
  User defined data tags that are added to all of the inputs. The values can be strings or numbers.
  
  Hide global_data_tags attributes Show global_data_tags attributes object
  
  name string Required
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  has_fleet_server boolean
  
  id string Required
  
  inactivity_timeout number
  
  Minimum value is 0. Default value is 1209600.
  
  is_default boolean
  
  is_default_fleet_server boolean
  
  is_managed boolean Required
  
  is_preconfigured boolean
  
  is_protected boolean Required
  
  Indicates whether the agent policy has tamper protection enabled. Default false.
  
  keep_monitoring_alive boolean | null
  
  When set to true, monitoring will be enabled but logs/metrics collection will be disabled
  
  Default value is false.
  
  monitoring_diagnostics object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
  
  limit object
  
  Additional properties are NOT allowed.
  
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
  
  uploader object
  
  Additional properties are NOT allowed.
  
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
  
  monitoring_enabled array[string]
  
  Values are logs, metrics, or traces.
  
  monitoring_http object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_http attributes Show monitoring_http attributes object
  
  buffer object
  
  Additional properties are NOT allowed.
  
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
  
  enabled boolean
  
  host string
  
  port number
  
  Minimum value is 0, maximum value is 65353.
  
  monitoring_output_id string | null
  
  monitoring_pprof_enabled boolean
  
  name string Required
  
  Minimum length is 1.
  
  namespace string Required
  
  Minimum length is 1.
  
  overrides object | null
  
  Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are allowed.
  
  package_policies array[string] | array[object]
  
  Any of:
  array-1 array[string] array-2 array[object]
  
  This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
  
  Hide attributes Show attributes object
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  required_versions array[object] | null
  
  Hide required_versions attributes Show required_versions attributes object
  
  percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
  
  version string Required
  
  Target version for automatic agent upgrade
  
  revision number Required
  
  schema_version string
  
  space_ids array[string]
  
  status string Required
  
  Values are active or inactive.
  
  supports_agentless boolean | null
  
  Indicates whether the agent policy supports agentless integrations.
  
  Default value is false.
  
  unenroll_timeout number
  
  Minimum value is 0.
  
  unprivileged_agents number
  
  updated_at string Required
  
  updated_by string Required
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/agent_policies

curl \
 --request POST https://localhost:5601/api/fleet/agent_policies \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"advanced_settings":{},"agent_features":[{"enabled":true,"name":"string"}],"agentless":{"resources":{"requests":{"cpu":"string","memory":"string"}}},"data_output_id":"string","description":"string","download_source_id":"string","fleet_server_host_id":"string","force":true,"global_data_tags":[{"name":"string","value":"string"}],"has_fleet_server":true,"id":"string","inactivity_timeout":1209600,"is_default":true,"is_default_fleet_server":true,"is_managed":true,"is_protected":true,"keep_monitoring_alive":false,"monitoring_diagnostics":{"limit":{"burst":42.0,"interval":"string"},"uploader":{"init_dur":"string","max_dur":"string","max_retries":42.0}},"monitoring_enabled":["logs"],"monitoring_http":{"buffer":{"enabled":false},"enabled":true,"host":"string","port":42.0},"monitoring_output_id":"string","monitoring_pprof_enabled":true,"name":"string","namespace":"string","overrides":{},"required_versions":[{"percentage":42.0,"version":"string"}],"space_ids":["string"],"supports_agentless":false,"unenroll_timeout":42.0}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "advanced_settings": {},
  "agent_features": [
    {
      "enabled": true,
      "name": "string"
    }
  ],
  "agentless": {
    "resources": {
      "requests": {
        "cpu": "string",
        "memory": "string"
      }
    }
  },
  "data_output_id": "string",
  "description": "string",
  "download_source_id": "string",
  "fleet_server_host_id": "string",
  "force": true,
  "global_data_tags": [
    {
      "name": "string",
      "value": "string"
    }
  ],
  "has_fleet_server": true,
  "id": "string",
  "inactivity_timeout": 1209600,
  "is_default": true,
  "is_default_fleet_server": true,
  "is_managed": true,
  "is_protected": true,
  "keep_monitoring_alive": false,
  "monitoring_diagnostics": {
    "limit": {
      "burst": 42.0,
      "interval": "string"
    },
    "uploader": {
      "init_dur": "string",
      "max_dur": "string",
      "max_retries": 42.0
    }
  },
  "monitoring_enabled": [
    "logs"
  ],
  "monitoring_http": {
    "buffer": {
      "enabled": false
    },
    "enabled": true,
    "host": "string",
    "port": 42.0
  },
  "monitoring_output_id": "string",
  "monitoring_pprof_enabled": true,
  "name": "string",
  "namespace": "string",
  "overrides": {},
  "required_versions": [
    {
      "percentage": 42.0,
      "version": "string"
    }
  ],
  "space_ids": [
    "string"
  ],
  "supports_agentless": false,
  "unenroll_timeout": 42.0
}

Response examples (200)

{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an uploaded file

GET /api/fleet/agents/files/{fileId}/{fileName}

Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Path parameters

fileId string Required
fileName string Required

Responses

200 application/json

Additional properties are allowed.
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/agents/files/{fileId}/{fileName}

curl \
 --request GET https://localhost:5601/api/fleet/agents/files/{fileId}/{fileName}

Response examples (200)

{}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agent setup info

GET /api/fleet/agents/setup

[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].

Responses

200 application/json
Hide response attributes Show response attributes object
- is_secrets_storage_enabled boolean
- is_space_awareness_enabled boolean
- isReady boolean Required
- missing_optional_features array[string] Required
  
  Value is encrypted_saved_object_encryption_key_required.
- missing_requirements array[string] Required
  
  Values are security_required, tls_required, api_keys, fleet_admin_user, or fleet_server.
- package_verification_key_id string
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/agents/setup

curl \
 --request GET https://localhost:5601/api/fleet/agents/setup

Response examples (200)

{
  "is_secrets_storage_enabled": true,
  "is_space_awareness_enabled": true,
  "isReady": true,
  "missing_optional_features": [
    "encrypted_saved_object_encryption_key_required"
  ],
  "missing_requirements": [
    "security_required"
  ],
  "package_verification_key_id": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Initiate agent setup

POST /api/fleet/agents/setup

[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Responses

200 application/json
Hide response attributes Show response attributes object
- isInitialized boolean Required
- nonFatalErrors array[object] Required
  
  Hide nonFatalErrors attributes Show nonFatalErrors attributes object
  
  message string Required
  
  name string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/agents/setup

curl \
 --request POST https://localhost:5601/api/fleet/agents/setup \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "isInitialized": true,
  "nonFatalErrors": [
    {
      "message": "string",
      "name": "string"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk get assets

POST /api/fleet/epm/bulk_assets

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

assetIds array[object] Required
Hide assetIds attributes Show assetIds attributes object
- id string Required
- type string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  appLink string
  
  attributes object Required
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  description string
  
  service string
  
  title string
  
  id string Required
  
  type string Required
  
  updatedAt string
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/epm/bulk_assets

curl \
 --request POST https://localhost:5601/api/fleet/epm/bulk_assets \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"assetIds":[{"id":"string","type":"string"}]}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "assetIds": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}

Response examples (200)

{
  "items": [
    {
      "appLink": "string",
      "attributes": {
        "description": "string",
        "service": "string",
        "title": "string"
      },
      "id": "string",
      "type": "string",
      "updatedAt": "string"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a limited package list

GET /api/fleet/epm/packages/limited

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[string] Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/epm/packages/limited

curl \
 --request GET https://localhost:5601/api/fleet/epm/packages/limited

Response examples (200)

{
  "items": [
    "string"
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get outputs

GET /api/fleet/outputs

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Any of:
  object-1 object object-2 object object-3 object object-4 object
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  kibana_api_key string | null
  
  kibana_url string | null
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  kibana_api_key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  service_token object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  service_token string | null
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  sync_integrations boolean
  
  type string Required
  
  Value is remote_elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is logstash.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  auth_type string Required
  
  Values are none, user_pass, ssl, or kerberos.
  
  broker_timeout number
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  client_id string
  
  compression string
  
  Values are gzip, snappy, lz4, or none.
  
  compression_level array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  config_yaml string | null
  
  connection_type array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  hash object
  
  Additional properties are allowed.
  
  Hide hash attributes Show hash attributes object
  
  hash string
  
  random boolean
  
  headers array[object]
  
  Hide headers attributes Show headers attributes object
  
  key string Required
  
  value string Required
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  key string
  
  name string Required
  
  partition string
  
  Values are random, round_robin, or hash.
  
  password array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  proxy_id string | null
  
  random object
  
  Additional properties are allowed.
  
  Hide random attribute Show random attribute object
  
  group_events number
  
  required_acks integer
  
  Values are 1, 0, or -1.
  
  round_robin object
  
  Additional properties are allowed.
  
  Hide round_robin attribute Show round_robin attribute object
  
  group_events number
  
  sasl object | null
  
  Additional properties are allowed.
  
  Hide sasl attribute Show sasl attribute object | null
  
  mechanism string
  
  Values are PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  password object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string Required
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  timeout number
  
  topic string
  
  type string Required
  
  Value is kafka.
  
  username array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  version string
- page number Required
- perPage number Required
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/outputs

curl \
 --request GET https://localhost:5601/api/fleet/outputs

Response examples (200)

{
  "items": [
    {
      "allow_edit": [
        "string"
      ],
      "ca_sha256": "string",
      "ca_trusted_fingerprint": "string",
      "config_yaml": "string",
      "hosts": [
        "https://example.com"
      ],
      "id": "string",
      "is_default": false,
      "is_default_monitoring": false,
      "is_internal": true,
      "is_preconfigured": true,
      "name": "string",
      "preset": "balanced",
      "proxy_id": "string",
      "shipper": {
        "compression_level": 42.0,
        "disk_queue_compression_enabled": true,
        "disk_queue_enabled": false,
        "disk_queue_encryption_enabled": true,
        "disk_queue_max_size": 42.0,
        "disk_queue_path": "string",
        "loadbalance": true,
        "max_batch_bytes": 42.0,
        "mem_queue_events": 42.0,
        "queue_flush_timeout": 42.0
      },
      "ssl": {
        "certificate": "string",
        "certificate_authorities": [
          "string"
        ],
        "key": "string",
        "verification_mode": "full"
      },
      "type": "elasticsearch"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete output

DELETE /api/fleet/outputs/{outputId}

Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

outputId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number
404 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

DELETE /api/fleet/outputs/{outputId}

curl \
 --request DELETE https://localhost:5601/api/fleet/outputs/{outputId} \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "id": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Response examples (404)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update saved objects Deprecated

POST /api/saved_objects/_bulk_update

Update the attributes for multiple Kibana saved objects.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body Required

object object

Additional properties are allowed.

Responses

200 application/json

Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body.

Additional properties are allowed.
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
  
  Value is Bad Request.
- message string Required
- statusCode integer Required
  
  Value is 400.

POST /api/saved_objects/_bulk_update

curl \
 --request POST https://localhost:5601/api/saved_objects/_bulk_update \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'

Request examples

# Headers
kbn-xsrf: string

# Payload
[
  {}
]

Response examples (200)

{}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Create a saved object Deprecated

POST /api/saved_objects/{type}/{id}

Create a Kibana saved object and specify its identifier instead of using a randomly generated ID.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

id string Required

An identifier for the saved object.
type string Required

Valid options include visualization, dashboard, search, index-pattern, config.

Query parameters

overwrite boolean

If true, overwrites the document with the same identifier.

application/json

Body Required

attributes object Required

The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.

Additional properties are allowed.
initialNamespaces array

Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.
references array

Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.

Responses

200 application/json

Indicates a successful call.

Additional properties are allowed.
409 application/json

Indicates a conflict error.

Additional properties are allowed.

POST /api/saved_objects/{type}/{id}

curl \
 --request POST https://localhost:5601/api/saved_objects/{type}/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"attributes":{},"initialNamespaces":[],"references":[]}'

Request examples

# Headers
kbn-xsrf: string

# Payload
{
  "attributes": {},
  "initialNamespaces": [],
  "references": []
}

Response examples (200)

{}

Response examples (409)

{}

Create a detection rule

POST /api/detection_engine/rules

Create a new detection rule.

application/json

Body object Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
language string Required

Query language to use

Value is eql.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is eql.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
event_category_override string
filters array
index array[string]
tiebreaker_field string

Sets a secondary field for sorting events
timestamp_field string

Contains the event timestamp used for sorting a sequence of events

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
type string Required Discriminator

Rule type

Value is query.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
saved_id string
language string

Values are kuery or lucene.
query string

EQL query to execute

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
saved_id string Required
type string Required Discriminator

Rule type

Value is saved_query.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
query string

EQL query to execute
language string

Values are kuery or lucene.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
query string Required

EQL query to execute
threshold object Required

Additional properties are allowed.
Hide threshold attributes Show threshold attributes object
- cardinality array[object]
  Hide cardinality attributes Show cardinality attributes object
  
  field string Required
  
  value integer Required
  
  Minimum value is 0.
- field string | array[string] Required
  
  Field to aggregate on
  
  One of:
  string-1 string array-2 array[string]
- value integer Required
  
  Threshold value
  
  Minimum value is 1.
type string Required Discriminator

Rule type

Value is threshold.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attribute Show alert_suppression attribute object
- duration object Required
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
data_view_id string
filters array
index array[string]
saved_id string
language string

Values are kuery or lucene.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
query string Required

EQL query to execute
threat_index array[string] Required
threat_mapping array[object] Required

At least 1 element.
Hide threat_mapping attribute Show threat_mapping attribute object
- entries array[object] Required
  Hide entries attributes Show entries attributes object
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required
  
  Value is mapping.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
threat_query string Required

Query to run
type string Required Discriminator

Rule type

Value is threat_match.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
concurrent_searches integer

Minimum value is 1.
data_view_id string
filters array
index array[string]
items_per_search integer

Minimum value is 1.
saved_id string
threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)
threat_language string

Values are kuery or lucene.
language string

Values are kuery or lucene.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
anomaly_threshold integer Required

Anomaly threshold

Minimum value is 0.
machine_learning_job_id string | array[string] Required

Machine learning job ID

One of:
string-1 string array-2 array[string]
type string Required Discriminator

Rule type

Value is machine_learning.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
history_window_start string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
new_terms_fields array[string] Required

At least 1 but not more than 3 elements.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is new_terms.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
language string

Values are kuery or lucene.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
language string Required

Value is esql.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is esql.

Responses

200 application/json

Indicates a successful call.
Any of:
Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

language string Required

Query language to use

Value is eql.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is eql.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

event_category_override string

filters array

index array[string]

tiebreaker_field string

Sets a secondary field for sorting events

timestamp_field string

Contains the event timestamp used for sorting a sequence of events
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

type string Required Discriminator

Rule type

Value is query.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

saved_id string

language string Required

Values are kuery or lucene.

query string Required

EQL query to execute
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

saved_id string Required

type string Required Discriminator

Rule type

Value is saved_query.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

query string

EQL query to execute

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

query string Required

EQL query to execute

threshold object Required

Additional properties are allowed.

Hide threshold attributes Show threshold attributes object

cardinality array[object]

Hide cardinality attributes Show cardinality attributes object

field string Required

value integer Required

Minimum value is 0.

field string | array[string] Required

Field to aggregate on

One of:
string-1 string array-2 array[string]

value integer Required

Threshold value

Minimum value is 1.

type string Required Discriminator

Rule type

Value is threshold.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attribute Show alert_suppression attribute object

duration object Required

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

data_view_id string

filters array

index array[string]

saved_id string

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

query string Required

EQL query to execute

threat_index array[string] Required

threat_mapping array[object] Required

At least 1 element.

Hide threat_mapping attribute Show threat_mapping attribute object

entries array[object] Required

Hide entries attributes Show entries attributes object

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required

Value is mapping.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

threat_query string Required

Query to run

type string Required Discriminator

Rule type

Value is threat_match.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

concurrent_searches integer

Minimum value is 1.

data_view_id string

filters array

index array[string]

items_per_search integer

Minimum value is 1.

saved_id string

threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values

threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)

threat_language string

Values are kuery or lucene.

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

anomaly_threshold integer Required

Anomaly threshold

Minimum value is 0.

machine_learning_job_id string | array[string] Required

Machine learning job ID

One of:
string-1 string array-2 array[string]

type string Required Discriminator

Rule type

Value is machine_learning.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

history_window_start string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

new_terms_fields array[string] Required

At least 1 but not more than 3 elements.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is new_terms.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

language string Required

Value is esql.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is esql.

POST /api/detection_engine/rules

curl \
 --request POST https://localhost:5601/api/detection_engine/rules \
 --header "Content-Type: application/json" \
 --data '{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string"}'

Request examples

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql"
}

Response examples (200)

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql"
}

Create multiple detection rules Deprecated

POST /api/detection_engine/rules/_bulk_create

Create new detection rules in bulk.

application/json

Body object Required

A JSON array of rules, where each rule contains the required fields.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
language string Required

Query language to use

Value is eql.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is eql.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
event_category_override string
filters array
index array[string]
tiebreaker_field string

Sets a secondary field for sorting events
timestamp_field string

Contains the event timestamp used for sorting a sequence of events

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
type string Required Discriminator

Rule type

Value is query.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
saved_id string
language string

Values are kuery or lucene.
query string

EQL query to execute

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
saved_id string Required
type string Required Discriminator

Rule type

Value is saved_query.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
query string

EQL query to execute
language string

Values are kuery or lucene.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
query string Required

EQL query to execute
threshold object Required

Additional properties are allowed.
Hide threshold attributes Show threshold attributes object
- cardinality array[object]
  Hide cardinality attributes Show cardinality attributes object
  
  field string Required
  
  value integer Required
  
  Minimum value is 0.
- field string | array[string] Required
  
  Field to aggregate on
  
  One of:
  string-1 string array-2 array[string]
- value integer Required
  
  Threshold value
  
  Minimum value is 1.
type string Required Discriminator

Rule type

Value is threshold.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attribute Show alert_suppression attribute object
- duration object Required
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
data_view_id string
filters array
index array[string]
saved_id string
language string

Values are kuery or lucene.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
query string Required

EQL query to execute
threat_index array[string] Required
threat_mapping array[object] Required

At least 1 element.
Hide threat_mapping attribute Show threat_mapping attribute object
- entries array[object] Required
  Hide entries attributes Show entries attributes object
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required
  
  Value is mapping.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
threat_query string Required

Query to run
type string Required Discriminator

Rule type

Value is threat_match.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
concurrent_searches integer

Minimum value is 1.
data_view_id string
filters array
index array[string]
items_per_search integer

Minimum value is 1.
saved_id string
threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)
threat_language string

Values are kuery or lucene.
language string

Values are kuery or lucene.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
anomaly_threshold integer Required

Anomaly threshold

Minimum value is 0.
machine_learning_job_id string | array[string] Required

Machine learning job ID

One of:
string-1 string array-2 array[string]
type string Required Discriminator

Rule type

Value is machine_learning.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
history_window_start string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
new_terms_fields array[string] Required

At least 1 but not more than 3 elements.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is new_terms.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
language string

Values are kuery or lucene.

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
language string Required

Value is esql.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is esql.

Responses

200 application/json

Indicates a successful call.
One of:
Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object Security_Detections_API_ErrorSchema object
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

language string Required

Query language to use

Value is eql.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is eql.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

event_category_override string

filters array

index array[string]

tiebreaker_field string

Sets a secondary field for sorting events

timestamp_field string

Contains the event timestamp used for sorting a sequence of events
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

type string Required Discriminator

Rule type

Value is query.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

saved_id string

language string Required

Values are kuery or lucene.

query string Required

EQL query to execute
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

saved_id string Required

type string Required Discriminator

Rule type

Value is saved_query.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

query string

EQL query to execute

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

query string Required

EQL query to execute

threshold object Required

Additional properties are allowed.

Hide threshold attributes Show threshold attributes object

cardinality array[object]

Hide cardinality attributes Show cardinality attributes object

field string Required

value integer Required

Minimum value is 0.

field string | array[string] Required

Field to aggregate on

One of:
string-1 string array-2 array[string]

value integer Required

Threshold value

Minimum value is 1.

type string Required Discriminator

Rule type

Value is threshold.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attribute Show alert_suppression attribute object

duration object Required

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

data_view_id string

filters array

index array[string]

saved_id string

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

query string Required

EQL query to execute

threat_index array[string] Required

threat_mapping array[object] Required

At least 1 element.

Hide threat_mapping attribute Show threat_mapping attribute object

entries array[object] Required

Hide entries attributes Show entries attributes object

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required

Value is mapping.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

threat_query string Required

Query to run

type string Required Discriminator

Rule type

Value is threat_match.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

concurrent_searches integer

Minimum value is 1.

data_view_id string

filters array

index array[string]

items_per_search integer

Minimum value is 1.

saved_id string

threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values

threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)

threat_language string

Values are kuery or lucene.

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

anomaly_threshold integer Required

Anomaly threshold

Minimum value is 0.

machine_learning_job_id string | array[string] Required

Machine learning job ID

One of:
string-1 string array-2 array[string]

type string Required Discriminator

Rule type

Value is machine_learning.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

history_window_start string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

new_terms_fields array[string] Required

At least 1 but not more than 3 elements.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is new_terms.

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Additional properties are allowed.

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Additional properties are allowed.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Hide required_fields attributes Show required_fields attributes object

ecs boolean Required

Whether the field is an ECS field

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Additional properties are allowed.

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Additional properties are allowed.

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Additional properties are allowed.

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Additional properties are allowed.

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Additional properties are allowed.

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

alert_suppression object

Additional properties are allowed.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Additional properties are allowed.

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

language string Required

Value is esql.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is esql.
Hide attributes Show attributes

error object Required

Additional properties are allowed.

Hide error attributes Show error attributes object

message string Required

status_code integer Required

Minimum value is 400.

id string

item_id string

Minimum length is 1.

list_id string

Minimum length is 1.

rule_id string

Could be any string, not necessarily a UUID

POST /api/detection_engine/rules/_bulk_create

curl \
 --request POST https://localhost:5601/api/detection_engine/rules/_bulk_create \
 --header "Content-Type: application/json" \
 --data '[{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string"}]'

Request examples

[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_id": "string",
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]

Response examples (200)

[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "ecs": true,
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "created_at": "2025-05-04T09:42:00+00:00",
    "created_by": "string",
    "execution_summary": {
      "last_execution": {
        "date": "2025-05-04T09:42:00+00:00",
        "message": "string",
        "metrics": {
          "execution_gap_duration_s": 42,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_enrichment_duration_ms": 42,
          "total_indexing_duration_ms": 42,
          "total_search_duration_ms": 42
        },
        "status": "going to run",
        "status_order": 42
      }
    },
    "id": "string",
    "immutable": true,
    "revision": 42,
    "rule_id": "string",
    "rule_source": {
      "is_customized": true,
      "type": "external"
    },
    "updated_at": "2025-05-04T09:42:00+00:00",
    "updated_by": "string",
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]

Retrieve the status of detection alert migrations Deprecated

GET /api/detection_engine/signals/migration_status

Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices.

Query parameters

from string(date-math) Required

Maximum age of qualifying detection alerts

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- indices array[object] Required
  
  Hide indices attributes Show indices attributes object
  
  index string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  is_outdated boolean Required
  
  migrations array[object] Required
  
  Hide migrations attributes Show migrations attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  status string Required
  
  Values are success, failure, or pending.
  
  updated string(date-time) Required
  
  version integer Required
  
  signal_versions array[object] Required
  
  Hide signal_versions attributes Show signal_versions attributes object
  
  count integer Required
  
  version integer Required
  
  version integer Required
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/detection_engine/signals/migration_status

curl \
 --request GET https://localhost:5601/api/detection_engine/signals/migration_status?from=now-30d

Response examples (200)

{
  "indices": [
    {
      "index": ".siem-signals-default-000002",
      "version": 15,
      "migrations": [
        {
          "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
          "status": "pending",
          "updated": "2021-01-06T20:41:37.173Z",
          "version": 16
        }
      ],
      "is_outdated": true,
      "signal_versions": [
        {
          "count": 100,
          "version": 15
        },
        {
          "count": 87,
          "version": 16
        }
      ]
    },
    {
      "index": ".siem-signals-default-000003",
      "version": 16,
      "migrations": [],
      "is_outdated": false,
      "signal_versions": [
        {
          "count": 54,
          "version": 16
        }
      ]
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Scan a file or directory

POST /api/endpoint/action/scan

Scan a specific file or directory on an endpoint for malware.

application/json

Body Required

agent_type string

The host agent type (optional). Defaults to endpoint.

Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.
alert_ids array[string(nonempty)]

A list of alerts ids.

At least 1 element. Minimum length of each is 1.
case_ids array[string]

Case IDs to be updated (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
comment string

Optional comment
endpoint_ids array[string] Required

List of endpoint IDs (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
parameters object Required

Additional properties are allowed.
Hide parameters attribute Show parameters attribute object
- path string Required

Responses

200 application/json

OK

Additional properties are allowed.

POST /api/endpoint/action/scan

curl \
 --request POST https://localhost:5601/api/endpoint/action/scan \
 --header "Content-Type: application/json" \
 --data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{"path":"string"}}'

Request examples

{
  "agent_type": "endpoint",
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "string"
  ],
  "comment": "string",
  "endpoint_ids": [
    "string"
  ],
  "parameters": {
    "path": "string"
  }
}

Response examples (200)

{}

Get an Entity Engine

GET /api/entity_store/engines/{entityType}

Path parameters

entityType string Required

The entity type of the engine (either 'user' or 'host').

Values are user, host, service, or universal.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- delay string
  
  Format should match the following pattern: [smdh]$. Default value is 1m.
- docsPerSecond integer
- error object
  
  Additional properties are allowed.
- fieldHistoryLength integer Required
- filter string
- frequency string
  
  Format should match the following pattern: [smdh]$. Default value is 1m.
- indexPattern string Required
- lookbackPeriod string
  
  Format should match the following pattern: [smdh]$. Default value is 24h.
- status string Required
  
  Values are installing, started, stopped, updating, or error.
- timeout string
  
  Format should match the following pattern: [smdh]$. Default value is 180s.
- timestampField string
- type string Required
  
  Values are user, host, service, or universal.

GET /api/entity_store/engines/{entityType}

curl \
 --request GET https://localhost:5601/api/entity_store/engines/{entityType}

Response examples (200)

{
  "delay": "1m",
  "docsPerSecond": 42,
  "error": {},
  "fieldHistoryLength": 42,
  "filter": "string",
  "frequency": "1m",
  "indexPattern": "string",
  "lookbackPeriod": "24h",
  "status": "installing",
  "timeout": "180s",
  "timestampField": "string",
  "type": "user"
}

Update an exception list item

PUT /api/exception_lists/items

Update an exception list item using the id or item_id field.

application/json

Body Required

Exception list item's properties

_version string

The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
comments array[object]

Default value is [] (empty).
Hide comments attributes Show comments attributes object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- id string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
entries array[object] Required
Any of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list object Required

Additional properties are allowed.

Hide list attributes Show list attributes object

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is list.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is exists.
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required Discriminator

Value is nested.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is wildcard.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
id string(nonempty)

Exception's identifier.

Minimum length is 1.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
list_id string(nonempty)

Exception list's human readable string identifier, e.g. trusted-linux-processes.

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
Values are agnostic or single. Default value is single.
os_types array[string]

Use this field to specify the operating system.

Values are linux, macos, or windows. Default value is [] (empty).
tags array[string(nonempty)]

String array containing words and phrases to help categorize exception items.

Minimum length of each is 1. Default value is [] (empty).
type string Required

Value is simple.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1. Default value is [] (empty).
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

Exception list item not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

PUT /api/exception_lists/items

curl \
 --request PUT https://localhost:5601/api/exception_lists/items \
 --header "Content-Type: application/json" \
 --data '{"name":"Updated name","tags":[],"type":"simple","entries":[{"type":"match","field":"host.name","value":"rock01","operator":"included"}],"item_id":"simple_list_item","comments":[],"description":"Updated description","namespace_type":"single"}'

Request example

{
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "comments": [],
  "description": "Updated description",
  "namespace_type": "single"
}

Response examples (200)

{
  "id": "459c5e7e-f8b2-4f0b-b136-c1fc702f72da",
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzEyLDFd",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-07T21:12:25.512Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T21:34:50.233Z",
  "updated_by": "elastic",
  "description": "Updated description",
  "namespace_type": "single",
  "tie_breaker_id": "ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body]: item_id: Expected string, received number",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "exception list item item_id: \\\"foo\\\" does not exist",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Security lists

Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
- boolean
- byte
- date
- date_nanos
- date_range
- double
- double_range
- float
- float_range
- half_float
- integer
- integer_range
- ip
- ip_range
- keyword
- long
- long_range
- short
- text
List items: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named internal-ip-addresses-southport contains five items, where each item defines one internal IP address:

192.168.1.1
192.168.1.3
192.168.1.18
192.168.1.12
192.168.1.7

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception list item that references the internal-ip-addresses-southport list.

Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (is in list, is not in list). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's exceptions_list object.

Lists requirements

Before you can start using lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.

Update a value list

PUT /api/lists

Update a value list using the list id. The original list is replaced, and all unspecified fields are deleted.

You cannot modify the id value.

application/json

Body Required

Value list's properties

_version string

The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
description string(nonempty) Required

Describes the value list.

Minimum length is 1.
id string(nonempty) Required

Value list's identifier.

Minimum length is 1.
meta object

Placeholder for metadata about the value list.

Additional properties are allowed.
name string(nonempty) Required

Value list's name.

Minimum length is 1.
version integer

The document version number.

Minimum value is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
- @timestamp string(date-time)
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string(nonempty) Required
  
  Describes the value list.
  
  Minimum length is 1.
- deserializer string
  
  Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
  
  {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  
  {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  
  {{{gte}}},{{{lte}}} - Date range values.
- id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
- immutable boolean Required
- meta object
  
  Placeholder for metadata about the value list.
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Value list's name.
  
  Minimum length is 1.
- serializer string
  
  Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
  
  (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  
  (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
- version integer Required
  
  The document version number.
  
  Minimum value is 1.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

PUT /api/lists

curl \
 --request PUT https://localhost:5601/api/lists \
 --header "Content-Type: application/json" \
 --data '{"id":"ip_list","name":"Bad ips - updated","description":"Latest list of bad ips"}'

Request example

{
  "id": "ip_list",
  "name": "Bad ips - updated",
  "description": "Latest list of bad ips"
}

Response examples (200)

{
  "id": "ip_list",
  "name": "Bad ips - updated",
  "type": "ip",
  "version": 3,
  "_version": "WzIsMV0=",
  "immutable": false,
  "@timestamp": "2025-01-08T04:47:34.273Z",
  "created_at": "2025-01-08T04:47:34.273Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:39:39.292Z",
  "updated_by": "elastic",
  "description": "Latest list of bad ips",
  "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body]: id: Expected string, received number",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "list id: \\\"foo\\\" not found",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Get status of value list data streams

GET /api/lists/index

Verify that .lists and .items data streams exist.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- list_index boolean Required
- list_item_index boolean Required
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List data stream(s) not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/lists/index

curl \
 --request GET https://localhost:5601/api/lists/index

Response examples (200)

{
  "list_index": true,
  "list_item_index": true
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Delete value list data streams

DELETE /api/lists/index

Delete the .lists and .items data streams.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- acknowledged boolean Required
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List data stream not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/lists/index

curl \
 --request DELETE https://localhost:5601/api/lists/index

Response examples (200)

{
  "acknowledged": true
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Export value list items

POST /api/lists/items/_export

Export list item values from the specified value list.

Query parameters

list_id string(nonempty) Required

Value list's id to export.

Minimum length is 1.

Responses

200 application/ndjson

Successful response

A .txt file containing list items from the specified list
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/lists/items/_export

curl \
 --request POST https://localhost:5601/api/lists/items/_export?list_id=21b01cfb-058d-44b9-838c-282be16c91cd

Response examples (200)

127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
127.0.0.7
127.0.0.8
127.0.0.9

Response examples (400)

{
  "error": "Bad Request\",\"message\":\"[request query]: list_id: Required",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Body Required

Body Required

Body Required

config object

secrets object

Update an existing dashboard Technical Preview

query string | object Required

query string | object Required

Create a dashboard Technical Preview

query string | object Required

query string | object Required

value string | number Required

value string | number Required

package_policies array[string] | array[object]

key object | string

key object | string Required

Update saved objects Deprecated

Body Required

Create a saved object Deprecated

Body Required

Body object Required

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]