Alerting

Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.





Get the rule types

GET /api/alerting/rule_types

If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • action_groups array[object]

      An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.

      Hide action_groups attributes Show action_groups attributes object
    • A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.

      Additional properties are allowed.

      Hide action_variables attributes Show action_variables attributes object
    • alerts object

      Details for writing alerts as data documents for this rule type.

      Additional properties are allowed.

      Hide alerts attributes Show alerts attributes object
      • context string

        The namespace for this rule type.

        Values are ml.anomaly-detection, observability.apm, observability.logs, observability.metrics, observability.slo, observability.threshold, observability.uptime, security, or stack.

      • dynamic string

        Indicates whether new fields are added dynamically.

        Values are false, runtime, strict, or true.

      • Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.

      • mappings object

        Additional properties are allowed.

        Hide mappings attribute Show mappings attribute object
        • fieldMap object

          Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.

          Hide fieldMap attribute Show fieldMap attribute object
          • * object Additional properties

            Additional properties are allowed.

            Hide * attributes Show * attributes object
            • array boolean

              Indicates whether the field is an array.

            • dynamic boolean

              Indicates whether it is a dynamic field mapping.

            • format string

              Indicates the format of the field. For example, if the type is date_range, the format can be epoch_millis||strict_date_optional_time.

            • Specifies the maximum length of a string field. Longer strings are not indexed or stored.

            • index boolean

              Indicates whether field values are indexed.

            • path string

              TBD

            • Details about the object properties. This property is applicable when type is object.

              Hide properties attribute Show properties attribute object
              • * object Additional properties

                Additional properties are allowed.

                Hide * attribute Show * attribute object
                • type string

                  The data type for each object property.

            • required boolean

              Indicates whether the field is required.

            • The scaling factor to use when encoding values. This property is applicable when type is scaled_float. Values will be multiplied by this factor at index time and rounded to the closest long value.

            • type string

              Specifies the data type for the field.

      • A secondary alias. It is typically used to support the signals alias for detection rules.

      • Indicates whether the rule should write out alerts as data.

      • useEcs boolean

        Indicates whether to include the ECS component template for the alerts.

      • Indicates whether to include the legacy component template for the alerts.

        Default value is false.

    • The list of the plugins IDs that have access to the rule type.

      Additional properties are allowed.

      Hide authorized_consumers attributes Show authorized_consumers attributes object
      • alerts object

        Additional properties are allowed.

        Hide alerts attributes Show alerts attributes object
      • apm object

        Additional properties are allowed.

        Hide apm attributes Show apm attributes object
      • discover object

        Additional properties are allowed.

        Hide discover attributes Show discover attributes object
      • Additional properties are allowed.

        Hide infrastructure attributes Show infrastructure attributes object
      • logs object

        Additional properties are allowed.

        Hide logs attributes Show logs attributes object
      • ml object

        Additional properties are allowed.

        Hide ml attributes Show ml attributes object
      • Additional properties are allowed.

        Hide monitoring attributes Show monitoring attributes object
      • siem object

        Additional properties are allowed.

        Hide siem attributes Show siem attributes object
      • slo object

        Additional properties are allowed.

        Hide slo attributes Show slo attributes object
      • Additional properties are allowed.

        Hide stackAlerts attributes Show stackAlerts attributes object
      • uptime object

        Additional properties are allowed.

        Hide uptime attributes Show uptime attributes object
    • category string

      The rule category, which is used by features such as category-specific maintenance windows.

      Values are management, observability, or securitySolution.

    • The default identifier for the rule type group.

    • Indicates whether the rule passes context variables to its recovery action.

    • Indicates whether the rule type is enabled or disabled based on the subscription.

    • Indicates whether the rule type has custom mappings for the alert data.

    • id string

      The unique identifier for the rule type.

    • Indicates whether the rule type is exportable in Stack Management > Saved Objects.

    • The subscriptions required to use the rule type.

    • name string

      The descriptive name of the rule type.

    • producer string

      An identifier for the application that produces this rule type.

    • An action group to use when an alert goes from an active state to an inactive one.

      Additional properties are allowed.

      Hide recovery_action_group attributes Show recovery_action_group attributes object
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/rule_types
curl \
 --request GET https://localhost:5601/api/alerting/rule_types
Response examples (200)
[
  {
    "id": "xpack.ml.anomaly_detection_alert",
    "name": "Anomaly detection alert",
    "alerts": {
      "context": "ml.anomaly-detection",
      "mappings": {
        "fieldMap": {
          "kibana.alert.job_id": {
            "type": "keyword",
            "array": false,
            "required": true
          },
          "kibana.alert.is_interim": {
            "type": "boolean",
            "array": false,
            "required": false
          },
          "kibana.alert.top_records": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "actual": {
                "type": "double"
              },
              "job_id": {
                "type": "keyword"
              },
              "typical": {
                "type": "double"
              },
              "function": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "field_name": {
                "type": "keyword"
              },
              "is_interim": {
                "type": "boolean"
              },
              "record_score": {
                "type": "double"
              },
              "by_field_name": {
                "type": "keyword"
              },
              "by_field_value": {
                "type": "keyword"
              },
              "detector_index": {
                "type": "integer"
              },
              "over_field_name": {
                "type": "keyword"
              },
              "over_field_value": {
                "type": "keyword"
              },
              "initial_record_score": {
                "type": "double"
              },
              "partition_field_name": {
                "type": "keyword"
              },
              "partition_field_value": {
                "type": "keyword"
              }
            }
          },
          "kibana.alert.anomaly_score": {
            "type": "double",
            "array": false,
            "required": false
          },
          "kibana.alert.top_influencers": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "job_id": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "is_interim": {
                "type": "boolean"
              },
              "influencer_score": {
                "type": "double"
              },
              "influencer_field_name": {
                "type": "keyword"
              },
              "influencer_field_value": {
                "type": "keyword"
              },
              "initial_influencer_score": {
                "type": "double"
              }
            }
          },
          "kibana.alert.anomaly_timestamp": {
            "type": "date",
            "array": false,
            "required": false
          }
        }
      },
      "shouldWrite": true
    },
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_score_match",
        "name": "Anomaly score matched the condition"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "timestamp",
          "description": "The bucket timestamp of the anomaly"
        },
        {
          "name": "timestampIso8601",
          "description": "The bucket time of the anomaly in ISO8601 format"
        },
        {
          "name": "jobIds",
          "description": "List of job IDs that triggered the alert"
        },
        {
          "name": "message",
          "description": "Alert info message"
        },
        {
          "name": "isInterim",
          "description": "Indicate if top hits contain interim results"
        },
        {
          "name": "score",
          "description": "Anomaly score at the time of the notification action"
        },
        {
          "name": "topRecords",
          "description": "Top records"
        },
        {
          "name": "topInfluencers",
          "description": "Top influencers"
        },
        {
          "name": "anomalyExplorerUrl",
          "description": "URL to open in the Anomaly Explorer",
          "useWithTripleBracesInTemplates": true
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": true,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_score_match",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  },
  {
    "id": "xpack.ml.anomaly_detection_jobs_health",
    "name": "Anomaly detection jobs health",
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_detection_realtime_issue",
        "name": "Issue detected"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "results",
          "description": "Results of the rule execution"
        },
        {
          "name": "message",
          "description": "Alert info message"
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": false,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_detection_realtime_issue",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
















































APM agent configuration

Adjust APM agent configuration without need to redeploy your application.

Get a list of agent configurations

GET /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • configurations array[object]

      Agent configuration

      Hide configurations attributes Show configurations attributes object
      • @timestamp number Required

        Timestamp

      • Agent name

      • Applied by agent

      • etag string Required

        Etag

      • service object Required

        Service

        Additional properties are allowed.

        Hide service attributes Show service attributes object
      • settings object Required

        Agent configuration settings

        Hide settings attribute Show settings attribute object
        • * string Additional properties
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration
curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "configurations": [
    {
      "@timestamp": 1730194190636,
      "agent_name": "string",
      "applied_by_agent": true,
      "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
      "service": {
        "environment": "prod",
        "name": "node"
      },
      "settings": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      }
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Create or update agent configuration

PUT /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • overwrite boolean

    If the config exists ?overwrite=true is required

application/json

Body Required

  • Agent name

  • service object Required

    Service

    Additional properties are allowed.

    Hide service attributes Show service attributes object
  • settings object Required

    Agent configuration settings

    Hide settings attribute Show settings attribute object
    • * string Additional properties

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
PUT /api/apm/settings/agent-configuration
curl \
 --request PUT https://localhost:5601/api/apm/settings/agent-configuration \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "agent_name": "string",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}
















Get single agent configuration

GET /api/apm/settings/agent-configuration/view

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/view
curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/view \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "id": "string",
  "@timestamp": 1730194190636,
  "agent_name": "string",
  "applied_by_agent": true,
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}




















Get source maps

GET /api/apm/sourcemaps

Returns an array of Fleet artifacts, including source map uploads.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

GET /api/apm/sourcemaps
curl \
 --request GET https://localhost:5601/api/apm/sourcemaps \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "artifacts": [
    {
      "body": {
        "bundleFilepath": "string",
        "serviceName": "string",
        "serviceVersion": "string",
        "sourceMap": {
          "file": "string",
          "mappings": "string",
          "sourceRoot": "string",
          "sources": [
            "string"
          ],
          "sourcesContent": [
            "string"
          ],
          "version": 42.0
        }
      },
      "compressionAlgorithm": "string",
      "created": "string",
      "decodedSha256": "string",
      "decodedSize": 42.0,
      "encodedSha256": "string",
      "encodedSize": 42.0,
      "encryptionAlgorithm": "string",
      "id": "string",
      "identifier": "string",
      "packageName": "string",
      "relative_url": "string",
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}













Delete cases

DELETE /api/cases

You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • ids array[string] Required

    The cases that you want to removed. All non-ASCII characters must be URL encoded.

Responses

  • Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases
curl \
 --request DELETE https://localhost:5601/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43 \
 --header "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
















































































Connectors

Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.

















Delete a connector

DELETE /api/actions/connector/{id}

WARNING: When you delete a connector, it cannot be recovered.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

Responses

  • Indicates a successful call.

DELETE /api/actions/connector/{id}
curl \
 --request DELETE https://localhost:5601/api/actions/connector/{id} \
 --header "kbn-xsrf: true"





















Create a dashboard Technical Preview

POST /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string

    A unique identifier for the dashboard.

application/json

Body

  • attributes object Required

    Additional properties are NOT allowed.

    Hide attributes attributes Show attributes attributes object
    • Additional properties are NOT allowed.

      Hide controlGroupInput attributes Show controlGroupInput attributes object
      • Show apply selections button in controls.

        Default value is true.

      • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

        Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

      • controls array[object]

        An array of control panels and their state in the control group.

        Default value is [] (empty).

        Hide controls attributes Show controls attributes object
        • Additional properties are allowed.

        • grow boolean

          Expand width of the control panel to fit available space.

          Default value is false.

        • id string

          The unique ID of the control.

        • order number Required

          The order of the control panel in the control group.

        • type string Required

          The type of the control panel.

        • width string

          Minimum width of the control panel in the control group.

          Values are small, medium, or large. Default value is medium.

      • Additional properties are allowed.

      • ignoreParentSettings object Required

        Additional properties are NOT allowed.

        Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
        • Ignore global filters in controls.

          Default value is false.

        • Ignore the global query bar in controls.

          Default value is false.

        • Ignore the global time range in controls.

          Default value is false.

        • Ignore validations in controls.

          Default value is false.

      • Position of the labels for controls. For example, "oneLine", "twoLine".

        Values are oneLine or twoLine. Default value is oneLine.

    • A short description.

      Default value is empty.

    • A container for various metadata

      Default value is {} (empty). Additional properties are NOT allowed.

      Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
      • Additional properties are allowed.

        Hide searchSource attributes Show searchSource attributes object
        • filter array[object]
          Hide filter attributes Show filter attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

            Hide meta attributes Show meta attributes object
          • query object

            Additional properties are allowed.

        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
        • sort array[object]
        • type string
    • options object Required

      Additional properties are NOT allowed.

      Hide options attributes Show options attributes object
      • Hide the panel titles in the dashboard.

        Default value is false.

      • syncColors boolean

        Synchronize colors between related panels in the dashboard.

        Default value is true.

      • syncCursor boolean

        Synchronize cursor position between related panels in the dashboard.

        Default value is true.

      • Synchronize tooltips between related panels in the dashboard.

        Default value is true.

      • useMargins boolean

        Show margins between panels in the dashboard layout.

        Default value is true.

    • panels array[object]

      Default value is [] (empty).

      Hide panels attributes Show panels attributes object
      • gridData object Required

        Additional properties are NOT allowed.

        Hide gridData attributes Show gridData attributes object
        • h number

          The height of the panel in grid units

          Minimum value is 1. Default value is 15.

        • i string

          The unique identifier of the panel

        • w number

          The width of the panel in grid units

          Minimum value is 1, maximum value is 48. Default value is 24.

        • x number Required

          The x coordinate of the panel in grid units

        • y number Required

          The y coordinate of the panel in grid units

      • id string

        The saved object id for by reference panels

      • panelConfig object Required

        Additional properties are allowed.

        Hide panelConfig attributes Show panelConfig attributes object
      • The unique ID of the panel.

      • title string

        The title of the panel

      • type string Required

        The embeddable type

      • version string Deprecated

        The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

    • A container for various refresh interval settings

      Additional properties are NOT allowed.

      Hide refreshInterval attributes Show refreshInterval attributes object
      • display string Deprecated

        A human-readable string indicating the refresh frequency. No longer used.

      • pause boolean Required

        Whether the refresh interval is set to be paused while viewing the dashboard.

      • section number Deprecated

        No longer used.

      • value number Required

        A numeric value indicating refresh frequency in milliseconds.

    • timeFrom string

      An ISO string indicating when to restore time from

    • Whether to restore time upon viewing this dashboard

      Default value is false.

    • timeTo string

      An ISO string indicating when to restore time from

    • title string Required

      A human-readable title for the dashboard

    • version number Deprecated
  • references array[object]
    Hide references attributes Show references attributes object
  • spaces array[string]

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • Show apply selections button in controls.

            Default value is true.

          • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • Ignore global filters in controls.

              Default value is false.

            • Ignore the global query bar in controls.

              Default value is false.

            • Ignore the global time range in controls.

              Default value is false.

            • Ignore validations in controls.

              Default value is false.

          • Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • A short description.

          Default value is empty.

        • A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]
              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • version string
POST /api/dashboards/dashboard/{id}
curl \
 --request POST https://localhost:5601/api/dashboards/dashboard/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}],"spaces":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "attributes": {
    "controlGroupInput": {
      "autoApplySelections": true,
      "chainingSystem": "HIERARCHICAL",
      "controls": [
        {
          "controlConfig": {},
          "grow": false,
          "id": "string",
          "order": 42.0,
          "type": "string",
          "width": "medium"
        }
      ],
      "enhancements": {},
      "ignoreParentSettings": {
        "ignoreFilters": false,
        "ignoreQuery": false,
        "ignoreTimerange": false,
        "ignoreValidations": false
      },
      "labelPosition": "oneLine"
    },
    "description": "",
    "kibanaSavedObjectMeta": {
      "searchSource": {
        "filter": [
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "alias": "string",
              "controlledBy": "string",
              "disabled": true,
              "field": "string",
              "group": "string",
              "index": "string",
              "isMultiIndex": true,
              "key": "string",
              "negate": true,
              "type": "string",
              "value": "string"
            },
            "query": {}
          }
        ],
        "query": {
          "language": "string",
          "query": "string"
        },
        "sort": [
          {}
        ],
        "type": "string"
      }
    },
    "options": {
      "hidePanelTitles": false,
      "syncColors": true,
      "syncCursor": true,
      "syncTooltips": true,
      "useMargins": true
    },
    "panels": [
      {
        "gridData": {
          "h": 15,
          "i": "string",
          "w": 24,
          "x": 42.0,
          "y": 42.0
        },
        "id": "string",
        "panelConfig": {
          "description": "string",
          "enhancements": {},
          "hidePanelTitles": true,
          "savedObjectId": "string",
          "title": "string",
          "version": "string"
        },
        "panelIndex": "string",
        "panelRefName": "string",
        "title": "string",
        "type": "string",
        "version": "string"
      }
    ],
    "refreshInterval": {
      "display": "string",
      "pause": true,
      "section": 42.0,
      "value": 42.0
    },
    "timeFrom": "string",
    "timeRestore": false,
    "timeTo": "string",
    "title": "string",
    "version": 42.0
  },
  "references": [
    {
      "id": "string",
      "name": "string",
      "type": "string"
    }
  ],
  "spaces": [
    "string"
  ]
}
Response examples (200)
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  }
}










































Create a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • name string Required

    The name for a runtime field.

  • runtimeField object Required

    The runtime field definition object.

    Additional properties are allowed.

Responses

  • 200 application/json

    Indicates a successful call.

    Additional properties are allowed.

POST /api/data_views/data_view/{viewId}/runtime_field
curl \
 --request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
Request example
{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}
Response examples (200)
{}

Get a runtime field

GET /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Additional properties are allowed.

    • fields array[object]

      Additional properties are allowed.

  • 404 application/json

    Object is not found.

    Hide response attributes Show response attributes object
GET /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
 --request GET https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
Response examples (200)
{
  "fields": [
    {
      "name": "hour_of_day",
      "type": "number",
      "count": 0,
      "esTypes": [
        "long"
      ],
      "scripted": false,
      "searchable": true,
      "aggregatable": true,
      "runtimeField": {
        "type": "long",
        "script": {
          "source": "emit(doc['timestamp'].value.getHour());"
        }
      },
      "shortDotsEnable": false,
      "readFromDocValues": false
    }
  ],
  "data_view": {
    "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
    "name": "Kibana Sample Data Flights",
    "title": "kibana_sample_data_flights",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Dest": {
        "name": "Dest",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "Origin": {
        "name": "Origin",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Carrier": {
        "name": "Carrier",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Cancelled": {
        "name": "Cancelled",
        "type": "boolean",
        "count": 0,
        "format": {
          "id": "boolean"
        },
        "esTypes": [
          "boolean"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightNum": {
        "name": "FlightNum",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "dayOfWeek": {
        "name": "dayOfWeek",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "timestamp": {
        "name": "timestamp",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestRegion": {
        "name": "DestRegion",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestCountry": {
        "name": "DestCountry",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestWeather": {
        "name": "DestWeather",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelay": {
        "name": "FlightDelay",
        "type": "boolean",
        "count": 0,
        "format": {
          "id": "boolean"
        },
        "esTypes": [
          "boolean"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "hour_of_day": {
        "name": "hour_of_day",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "00"
          }
        },
        "esTypes": [
          "long"
        ],
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "runtimeField": {
          "type": "long",
          "script": {
            "source": "emit(doc['timestamp'].value.getHour());"
          }
        },
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "DestCityName": {
        "name": "DestCityName",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestLocation": {
        "name": "DestLocation",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginRegion": {
        "name": "OriginRegion",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestAirportID": {
        "name": "DestAirportID",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DistanceMiles": {
        "name": "DistanceMiles",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightTimeMin": {
        "name": "FlightTimeMin",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginCountry": {
        "name": "OriginCountry",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginWeather": {
        "name": "OriginWeather",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "AvgTicketPrice": {
        "name": "AvgTicketPrice",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelayMin": {
        "name": "FlightDelayMin",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightTimeHour": {
        "name": "FlightTimeHour",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginCityName": {
        "name": "OriginCityName",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginLocation": {
        "name": "OriginLocation",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelayType": {
        "name": "FlightDelayType",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginAirportID": {
        "name": "OriginAirportID",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DistanceKilometers": {
        "name": "DistanceKilometers",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzM2LDJd",
    "fieldAttrs": {},
    "allowNoIndex": false,
    "fieldFormats": {
      "hour_of_day": {
        "id": "number",
        "params": {
          "pattern": "00"
        }
      },
      "AvgTicketPrice": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "timestamp",
    "runtimeFieldMap": {
      "hour_of_day": {
        "type": "long",
        "script": {
          "source": "emit(doc['timestamp'].value.getHour());"
        }
      }
    }
  }
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

















































Cancel an agent action

POST /api/fleet/agents/actions/{actionId}/cancel

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Responses

POST /api/fleet/agents/actions/{actionId}/cancel
curl \
 --request POST https://localhost:5601/api/fleet/agents/actions/{actionId}/cancel \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "item": {
    "agents": [
      "string"
    ],
    "created_at": "string",
    "expiration": "string",
    "id": "string",
    "minimum_execution_duration": 42.0,
    "namespaces": [
      "string"
    ],
    "rollout_duration_seconds": 42.0,
    "sent_at": "string",
    "source_uri": "string",
    "start_time": "string",
    "total": 42.0,
    "type": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}










































Get agent policies

GET /api/fleet/agent_policies

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].

Query parameters

Responses

GET /api/fleet/agent_policies
curl \
 --request GET https://localhost:5601/api/fleet/agent_policies
Response examples (200)
{
  "items": [
    {
      "advanced_settings": {},
      "agent_features": [
        {
          "enabled": true,
          "name": "string"
        }
      ],
      "agentless": {
        "resources": {
          "requests": {
            "cpu": "string",
            "memory": "string"
          }
        }
      },
      "agents": 42.0,
      "data_output_id": "string",
      "description": "string",
      "download_source_id": "string",
      "fleet_server_host_id": "string",
      "global_data_tags": [
        {
          "name": "string",
          "value": "string"
        }
      ],
      "has_fleet_server": true,
      "id": "string",
      "inactivity_timeout": 1209600,
      "is_default": true,
      "is_default_fleet_server": true,
      "is_managed": true,
      "is_preconfigured": true,
      "is_protected": true,
      "keep_monitoring_alive": false,
      "monitoring_diagnostics": {
        "limit": {
          "burst": 42.0,
          "interval": "string"
        },
        "uploader": {
          "init_dur": "string",
          "max_dur": "string",
          "max_retries": 42.0
        }
      },
      "monitoring_enabled": [
        "logs"
      ],
      "monitoring_http": {
        "buffer": {
          "enabled": false
        },
        "enabled": true,
        "host": "string",
        "port": 42.0
      },
      "monitoring_output_id": "string",
      "monitoring_pprof_enabled": true,
      "name": "string",
      "namespace": "string",
      "overrides": {},
      "package_policies": [
        "string"
      ],
      "required_versions": [
        {
          "percentage": 42.0,
          "version": "string"
        }
      ],
      "revision": 42.0,
      "schema_version": "string",
      "space_ids": [
        "string"
      ],
      "status": "active",
      "supports_agentless": false,
      "unenroll_timeout": 42.0,
      "unprivileged_agents": 42.0,
      "updated_at": "string",
      "updated_by": "string",
      "version": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
















Copy an agent policy

POST /api/fleet/agent_policies/{agentPolicyId}/copy

Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body

Responses

POST /api/fleet/agent_policies/{agentPolicyId}/copy
curl \
 --request POST https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/copy \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","name":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "name": "string"
}
Response examples (200)
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




















Get a full K8s agent manifest

GET /api/fleet/kubernetes

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/kubernetes
curl \
 --request GET https://localhost:5601/api/fleet/kubernetes
Response examples (200)
{
  "item": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Get an agent status summary

GET /api/fleet/agent_status

Query parameters

Responses

GET /api/fleet/agent_status
curl \
 --request GET https://localhost:5601/api/fleet/agent_status
Response examples (200)
{
  "results": {
    "active": 42.0,
    "all": 42.0,
    "error": 42.0,
    "events": 42.0,
    "inactive": 42.0,
    "offline": 42.0,
    "online": 42.0,
    "orphaned": 42.0,
    "other": 42.0,
    "unenrolled": 42.0,
    "uninstalled": 42.0,
    "updating": 42.0
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

























Get agent uploads

GET /api/fleet/agents/{agentId}/uploads

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agents/{agentId}/uploads
curl \
 --request GET https://localhost:5601/api/fleet/agents/{agentId}/uploads
Response examples (200)
{
  "items": [
    {
      "actionId": "string",
      "createTime": "string",
      "error": "string",
      "filePath": "string",
      "id": "string",
      "name": "string",
      "status": "READY"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
















Initiate agent setup

POST /api/fleet/agents/setup

[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

POST /api/fleet/agents/setup
curl \
 --request POST https://localhost:5601/api/fleet/agents/setup \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "isInitialized": true,
  "nonFatalErrors": [
    {
      "message": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Bulk get assets

POST /api/fleet/epm/bulk_assets

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • assetIds array[object] Required
    Hide assetIds attributes Show assetIds attributes object

Responses

POST /api/fleet/epm/bulk_assets
curl \
 --request POST https://localhost:5601/api/fleet/epm/bulk_assets \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"assetIds":[{"id":"string","type":"string"}]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "assetIds": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}
Response examples (200)
{
  "items": [
    {
      "appLink": "string",
      "attributes": {
        "description": "string",
        "service": "string",
        "title": "string"
      },
      "id": "string",
      "type": "string",
      "updatedAt": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
























Update package settings

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Responses

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
 --request PUT https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"keepPoliciesUpToDate":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "keepPoliciesUpToDate": true
}
Response examples (200)
{
  "item": {
    "agent": {
      "privileges": {
        "root": true
      }
    },
    "asset_tags": [
      {
        "asset_ids": [
          "string"
        ],
        "asset_types": [
          "string"
        ],
        "text": "string"
      }
    ],
    "assets": {},
    "categories": [
      "string"
    ],
    "conditions": {
      "elastic": {
        "capabilities": [
          "string"
        ],
        "subscription": "string"
      },
      "kibana": {
        "version": "string"
      }
    },
    "data_streams": [
      {}
    ],
    "description": "string",
    "discovery": {
      "fields": [
        {
          "name": "string"
        }
      ]
    },
    "download": "string",
    "elasticsearch": {},
    "format_version": "string",
    "icons": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "installationInfo": {
      "additional_spaces_installed_kibana": {
        "additionalProperty1": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "additionalProperty2": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ]
      },
      "created_at": "string",
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "install_format_schema_version": "string",
      "install_source": "registry",
      "install_status": "installed",
      "installed_es": [
        {
          "deferred": true,
          "id": "string",
          "type": "index",
          "version": "string"
        }
      ],
      "installed_kibana": [
        {
          "id": "string",
          "originId": "string",
          "type": "dashboard"
        }
      ],
      "installed_kibana_space_id": "string",
      "latest_executed_state": {
        "error": "string",
        "name": "string",
        "started_at": "string"
      },
      "latest_install_failed_attempts": [
        {
          "created_at": "string",
          "error": {
            "message": "string",
            "name": "string",
            "stack": "string"
          },
          "target_version": "string"
        }
      ],
      "name": "string",
      "namespaces": [
        "string"
      ],
      "type": "string",
      "updated_at": "string",
      "verification_key_id": "string",
      "verification_status": "unverified",
      "version": "string"
    },
    "internal": true,
    "keepPoliciesUpToDate": true,
    "latestVersion": "string",
    "license": "string",
    "licensePath": "string",
    "name": "string",
    "notice": "string",
    "owner": {
      "github": "string",
      "type": "elastic"
    },
    "path": "string",
    "policy_templates": [
      {}
    ],
    "readme": "string",
    "release": "ga",
    "screenshots": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "signature_path": "string",
    "source": {
      "license": "string"
    },
    "status": "string",
    "title": "string",
    "type": "integration",
    "vars": [
      {}
    ],
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Delete a package

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
 --request DELETE https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}









































Revoke an enrollment API key

DELETE /api/fleet/enrollment_api_keys/{keyId}

Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • action string Required

      Value is deleted.

  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/enrollment_api_keys/{keyId}
curl \
 --request DELETE https://localhost:5601/api/fleet/enrollment_api_keys/{keyId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "action": "deleted"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}






























Create output

POST /api/fleet/outputs

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body object

Any of:

Responses

POST /api/fleet/outputs
curl \
 --request POST https://localhost:5601/api/fleet/outputs \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"allow_edit":["string"],"ca_sha256":"string","ca_trusted_fingerprint":"string","config_yaml":"string","hosts":["https://example.com"],"id":"string","is_default":false,"is_default_monitoring":false,"is_internal":true,"is_preconfigured":true,"name":"string","preset":"balanced","proxy_id":"string","shipper":{"compression_level":42.0,"disk_queue_compression_enabled":true,"disk_queue_enabled":false,"disk_queue_encryption_enabled":true,"disk_queue_max_size":42.0,"disk_queue_path":"string","loadbalance":true,"max_batch_bytes":42.0,"mem_queue_events":42.0,"queue_flush_timeout":42.0},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string","verification_mode":"full"},"type":"elasticsearch"}'
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "kibana_api_key": "string",
  "kibana_url": "string",
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "kibana_api_key": {
      "id": "string"
    },
    "service_token": {
      "id": "string"
    }
  },
  "service_token": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "sync_integrations": true,
  "type": "remote_elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "logstash"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "auth_type": "none",
  "broker_timeout": 42.0,
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "client_id": "string",
  "compression": "gzip",
  "compression_level": [],
  "config_yaml": "string",
  "connection_type": [],
  "hash": {
    "hash": "string",
    "random": true
  },
  "headers": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "key": "string",
  "name": "string",
  "partition": "random",
  "password": [],
  "proxy_id": "string",
  "random": {
    "group_events": 42.0
  },
  "required_acks": 1,
  "round_robin": {
    "group_events": 42.0
  },
  "sasl": {
    "mechanism": "PLAIN"
  },
  "secrets": {
    "password": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "timeout": 42.0,
  "topic": "string",
  "type": "kafka",
  "username": [],
  "version": "string"
}
Response examples (200)
{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Get the latest output health

GET /api/fleet/outputs/{outputId}/health

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • message string Required

      long message if unhealthy

    • state string Required

      state of output, HEALTHY or DEGRADED

    • timestamp string Required

      timestamp of reported state

  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/outputs/{outputId}/health
curl \
 --request GET https://localhost:5601/api/fleet/outputs/{outputId}/health
Response examples (200)
{
  "message": "string",
  "state": "string",
  "timestamp": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}














































Get a proxy

GET /api/fleet/proxies/{itemId}

Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Responses

GET /api/fleet/proxies/{itemId}
curl \
 --request GET https://localhost:5601/api/fleet/proxies/{itemId}
Response examples (200)
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}







































Get a decrypted uninstall token

GET /api/fleet/uninstall_tokens/{uninstallTokenId}

Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Responses

GET /api/fleet/uninstall_tokens/{uninstallTokenId}
curl \
 --request GET https://localhost:5601/api/fleet/uninstall_tokens/{uninstallTokenId}
Response examples (200)
{
  "item": {
    "created_at": "string",
    "id": "string",
    "namespaces": [
      "string"
    ],
    "policy_id": "string",
    "policy_name": "string",
    "token": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





Machine learning

Machine learning

Sync saved objects in the default space

GET /api/ml/saved_objects/sync

Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have all privileges for the Machine Learning feature in the Analytics section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.

Query parameters

  • simulate boolean

    When true, simulates the synchronization by returning only the list of actions that would be performed.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
    • If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.

      Hide datafeedsAdded attribute Show datafeedsAdded attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Additional properties are allowed.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.

      Hide datafeedsRemoved attribute Show datafeedsRemoved attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Additional properties are allowed.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.

      Additional properties are allowed.

      Hide savedObjectsCreated attributes Show savedObjectsCreated attributes object
      • If saved objects are missing for anomaly detection jobs, they are created.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • If saved objects are missing for data frame analytics jobs, they are created.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • If saved objects are missing for trained models, they are created.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

    • If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.

      Additional properties are allowed.

      Hide savedObjectsDeleted attributes Show savedObjectsDeleted attributes object
      • If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • If there are saved objects exist for nonexistent trained models, they are deleted.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/ml/saved_objects/sync
curl \
 --request GET https://localhost:5601/api/ml/saved_objects/sync
Response examples (200)
{
  "datafeedsAdded": {},
  "datafeedsRemoved": {},
  "savedObjectsCreated": {
    "anomaly-detector": {
      "myjob1": {
        "success": true
      },
      "myjob2": {
        "success": true
      }
    }
  },
  "savedObjectsDeleted": {}
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}









Create or update a role

PUT /api/security/role/{name}

Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • name string Required

    The role name.

    Minimum length is 1, maximum length is 1024.

Query parameters

  • createOnly boolean

    When true, a role is not overwritten if it already exists.

    Default value is false.

application/json

Body

  • A description for the role.

    Maximum length is 2048.

  • elasticsearch object Required

    Additional properties are NOT allowed.

    Hide elasticsearch attributes Show elasticsearch attributes object
    • cluster array[string]

      Cluster privileges that define the cluster level actions that users can perform.

    • indices array[object]
      Hide indices attributes Show indices attributes object
      • Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.

      • Hide field_security attribute Show field_security attribute object
        • * array[string] Additional properties

          The document fields that the role members have read access to.

      • names array[string] Required

        The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).

        At least 1 element.

      • privileges array[string] Required

        The index level privileges that the role members have for the data streams and indices.

        At least 1 element.

      • query string

        A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

    • remote_cluster array[object]
      Hide remote_cluster attributes Show remote_cluster attributes object
      • clusters array[string] Required

        A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

        At least 1 element.

      • privileges array[string] Required

        The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.

        At least 1 element.

    • remote_indices array[object]
      Hide remote_indices attributes Show remote_indices attributes object
      • Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.

      • clusters array[string] Required

        A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

        At least 1 element.

      • Hide field_security attribute Show field_security attribute object
        • * array[string] Additional properties

          The document fields that the role members have read access to.

      • names array[string] Required

        A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).

        At least 1 element.

      • privileges array[string] Required

        The index level privileges that role members have for the specified indices.

        At least 1 element.

      • query string

        A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

    • run_as array[string]

      A user name that the role member can impersonate.

  • kibana array[object]
    Hide kibana attributes Show kibana attributes object
  • metadata object

    Additional properties are allowed.

Responses

  • Indicates a successful call.

PUT /api/security/role/{name}
curl \
 --request PUT https://localhost:5601/api/security/role/{name} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"kibana":[{"base":[],"spaces":["default"],"feature":{"discover":["all"],"dashboard":["all"]}},{"base":["read"],"spaces":["marketing","sales"]}],"metadata":{"version":1},"description":"Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.","elasticsearch":{"cluster":[],"indices":[]}}'
Grant access to various features in some spaces.
{
  "kibana": [
    {
      "base": [],
      "spaces": [
        "default"
      ],
      "feature": {
        "discover": [
          "all"
        ],
        "dashboard": [
          "all"
        ]
      }
    },
    {
      "base": [
        "read"
      ],
      "spaces": [
        "marketing",
        "sales"
      ]
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.",
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant access to dashboard features in a Marketing space.
{
  "kibana": [
    {
      "base": [],
      "spaces": [
        "marketing"
      ],
      "feature": {
        "dashboard": [
          "read"
        ]
      }
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant dashboard access in the Marketing space.",
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant full access to all features in the default space.
{
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant Elasticsearch and Kibana feature privileges.
{
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space.",
  "elasticsearch": {
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "index1",
          "index2"
        ],
        "privileges": [
          "all"
        ]
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "monitor_enrich"
        ]
      }
    ],
    "remote_indices": [
      {
        "names": [
          "remote_index1",
          "remote_index2"
        ],
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "all"
        ]
      }
    ]
  }
}





























Update saved objects Deprecated

POST /api/saved_objects/_bulk_update

Update the attributes for multiple Kibana saved objects.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

object object

Additional properties are allowed.

Responses

  • 200 application/json

    Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body.

    Additional properties are allowed.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_update
curl \
 --request POST https://localhost:5601/api/saved_objects/_bulk_update \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'
Request examples
# Headers
kbn-xsrf: string

# Payload
[
  {}
]
Response examples (200)
{}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}
















Create a saved object Deprecated

POST /api/saved_objects/{type}

Create a Kibana saved object with a randomly generated identifier.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • type string Required

    Valid options include visualization, dashboard, search, index-pattern, config.

Query parameters

  • overwrite boolean

    If true, overwrites the document with the same identifier.

application/json

Body Required

  • attributes object Required

    The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.

    Additional properties are allowed.

  • Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.

  • Objects with name, id, and type properties that describe the other saved objects that this object references. Use name in attributes to refer to the other saved object, but never the id, which can update automatically during migrations or import and export.

Responses

  • 200 application/json

    Indicates a successful call.

    Additional properties are allowed.

  • 409 application/json

    Indicates a conflict error.

    Additional properties are allowed.

POST /api/saved_objects/{type}
curl \
 --request POST https://localhost:5601/api/saved_objects/{type} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"attributes":{},"initialNamespaces":[],"references":[]}'
Request examples
# Headers
kbn-xsrf: string

# Payload
{
  "attributes": {},
  "initialNamespaces": [],
  "references": []
}
Response examples (200)
{}
Response examples (409)
{}












Resolve a saved object Deprecated

GET /api/saved_objects/resolve/{type}/{id}

Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID.

Path parameters

  • id string Required

    An identifier for the saved object.

  • type string Required

    Valid options include visualization, dashboard, search, index-pattern, config.

Responses

  • 200 application/json

    Indicates a successful call.

    Additional properties are allowed.

  • 400 application/json

    Bad request.

    Hide response attributes Show response attributes object
GET /api/saved_objects/resolve/{type}/{id}
curl \
 --request GET https://localhost:5601/api/saved_objects/resolve/{type}/{id}
Response examples (200)
{}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}





Get anonymization fields

GET /api/security_ai_assistant/anonymization_fields/_find

Get a list of all anonymization fields.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • Field to sort by

    Values are created_at, anonymized, allowed, field, or updated_at.

  • Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    AnonymizationFields per page

    Minimum value is 0. Default value is 20.

Responses

GET /api/security_ai_assistant/anonymization_fields/_find
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/anonymization_fields/_find
Response examples (200)
{
  "data": [
    {
      "allowed": true,
      "anonymized": true,
      "createdAt": "string",
      "createdBy": "string",
      "field": "string",
      "id": "string",
      "namespace": "string",
      "timestamp": "string",
      "updatedAt": "string",
      "updatedBy": "string"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Get a conversation

GET /api/security_ai_assistant/current_user/conversations/{id}

Get the details of an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • LLM API configuration.

      Additional properties are allowed.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The last time conversation was updated.

    • excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • isDefault boolean

      Is default conversation.

    • messages array[object]

      The conversation messages.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Additional properties are allowed.

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • trace Data

        Additional properties are allowed.

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object

      Additional properties are allowed.

      Hide summary attributes Show summary attributes object
      • How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • The last time conversation was updated.

    • users array[object] Required
      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/current_user/conversations/{id}
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/current_user/conversations/{id}
Response examples (200)
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "createdAt": "string",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "isDefault": true,
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "namespace": "string",
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "timestamp": "string",
  "title": "string",
  "updatedAt": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




























Read a Knowledge Base Entry

GET /api/security_ai_assistant/knowledge_base/entries/{id}

Read a Knowledge Base Entry

Path parameters

  • id string(nonempty) Required

    The Knowledge Base Entry's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Successful request returning a Knowledge Base Entry

    Any of:
    Hide attributes Show attributes
    • name string Required

      Name of the Knowledge Base Entry

    • namespace string Required

      Kibana Space, defaults to 'default' space

    • users array[object] Required

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Hide users attributes Show users attributes object
    • createdAt string Required

      Time the Knowledge Base Entry was created

    • createdBy string Required

      User who created the Knowledge Base Entry

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updatedAt string Required

      Time the Knowledge Base Entry was last updated

    • updatedBy string Required

      User who last updated the Knowledge Base Entry

    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Additional properties are allowed.

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/knowledge_base/entries/{id}
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/{id}
Response examples (200)
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "string",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

























































Create multiple detection rules Deprecated

POST /api/detection_engine/rules/_bulk_create

Create new detection rules in bulk.

application/json

Body object Required

A JSON array of rules, where each rule contains the required fields.

Any of:
  • actions array[object]
    Hide actions attributes Show actions attributes object
    • action_type_id string Required

      The action type used for sending notifications.

    • Additional properties are allowed.

    • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

      Additional properties are allowed.

      Hide frequency attributes Show frequency attributes object
      • notifyWhen string Required

        The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

        Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

      • summary boolean Required

        Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

      • throttle string | null Required

        Defines how often rule actions are taken.

        One of:

        Values are no_actions or rule.

    • group string

      Optionally groups actions by use cases. Use default for alert notifications.

    • id string Required

      The connector ID.

    • params object Required

      Object containing the allowed connector fields, which varies according to the connector type.

      Additional properties are allowed.

    • uuid string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • Values are savedObjectConversion or savedObjectImport.

  • author array[string]
  • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

  • description string Required

    Minimum length is 1.

  • enabled boolean

    Determines whether the rule is enabled.

  • exceptions_list array[object]
    Hide exceptions_list attributes Show exceptions_list attributes object
    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • list_id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • namespace_type string Required

      Determines the exceptions validity in rule's Kibana space

      Values are agnostic or single.

    • type string Required

      The exception type

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

  • false_positives array[string]
  • from string(date-math)

    Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

  • interval string

    Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

  • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

    const investigationFields = z.object({
      field_names: NonEmptyArray(NonEmptyString),
      override: z.boolean().optional(),
    });
    

    Additional properties are allowed.

    Hide investigation_fields attribute Show investigation_fields attribute object
    • field_names array[string(nonempty)] Required

      A string that does not contain only whitespace characters

      At least 1 element. Minimum length of each is 1.

  • license string

    The rule's license.

  • Minimum value is 1.

  • meta object

    Additional properties are allowed.

  • name string Required

    Minimum length is 1.

  • Has no effect.

  • note string

    Notes to help investigate alerts produced by the rule.

  • outcome string

    Values are exactMatch, aliasMatch, or conflict.

  • output_index string Deprecated

    (deprecated) Has no effect.

  • references array[string]
  • required_fields array[object]
    Hide required_fields attributes Show required_fields attributes object
    • name string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • type string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • response_actions array[object]
    One of:
    Hide attributes Show attributes
  • risk_score integer Required

    Risk score (0 to 100)

    Minimum value is 0, maximum value is 100.

  • risk_score_mapping array[object]

    Overrides generated alerts' risk_score with a value from the source event

    Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  • rule_id string

    Could be any string, not necessarily a UUID

  • Sets the source field for the alert's signal.rule.name value

  • setup string
  • severity string Required

    Severity of the rule

    Values are low, medium, high, or critical.

  • severity_mapping array[object]

    Overrides generated alerts' severity with values from the source event

    Hide severity_mapping attributes Show severity_mapping attributes object
    • field string Required
    • operator string Required

      Value is equals.

    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • value string Required
  • tags array[string]

    String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

  • threat array[object]
    Hide threat attributes Show threat attributes object
    • framework string Required

      Relevant attack framework

    • tactic object Required

      Additional properties are allowed.

      Hide tactic attributes Show tactic attributes object
      • id string Required

        Tactic ID

      • name string Required

        Tactic name

      • reference string Required

        Tactic reference

    • technique array[object]

      Array containing information on the attack techniques (optional)

      Hide technique attributes Show technique attributes object
      • id string Required

        Technique ID

      • name string Required

        Technique name

      • reference string Required

        Technique reference

      • subtechnique array[object]

        Array containing more specific information on the attack technique

        Hide subtechnique attributes Show subtechnique attributes object
        • id string Required

          Subtechnique ID

        • name string Required

          Subtechnique name

        • reference string Required

          Subtechnique reference

  • throttle string | null

    Defines how often rule actions are taken.

    One of:

    Values are no_actions or rule.

  • Timeline template ID

  • Timeline template title

  • Sets the time field used to query indices

  • Disables the fallback to the event's @timestamp field

  • to string
  • version integer

    The rule's version number.

    Minimum value is 1.

  • language string Required

    Query language to use

    Value is eql.

  • query string Required

    EQL query to execute

  • type string Required Discriminator

    Rule type

    Value is eql.

  • Additional properties are allowed.

    Hide alert_suppression attributes Show alert_suppression attributes object
    • duration object

      Additional properties are allowed.

      Hide duration attributes Show duration attributes object
      • unit string Required

        Values are s, m, or h.

      • value integer Required

        Minimum value is 1.

    • group_by array[string] Required

      At least 1 but not more than 3 elements.

    • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

      Values are doNotSuppress or suppress.

  • filters array
  • index array[string]
  • Sets a secondary field for sorting events

  • Contains the event timestamp used for sorting a sequence of events

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

POST /api/detection_engine/rules/_bulk_create
curl \
 --request POST https://localhost:5601/api/detection_engine/rules/_bulk_create \
 --header "Content-Type: application/json" \
 --data '[{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string"}]'
Request examples
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_id": "string",
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]
Response examples (200)
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "ecs": true,
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "created_at": "2025-05-04T09:42:00+00:00",
    "created_by": "string",
    "execution_summary": {
      "last_execution": {
        "date": "2025-05-04T09:42:00+00:00",
        "message": "string",
        "metrics": {
          "execution_gap_duration_s": 42,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_enrichment_duration_ms": 42,
          "total_indexing_duration_ms": 42,
          "total_search_duration_ms": 42
        },
        "status": "going to run",
        "status_order": 42
      }
    },
    "id": "string",
    "immutable": true,
    "revision": 42,
    "rule_id": "string",
    "rule_source": {
      "is_customized": true,
      "type": "external"
    },
    "updated_at": "2025-05-04T09:42:00+00:00",
    "updated_by": "string",
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]

Delete multiple detection rules Deprecated

POST /api/detection_engine/rules/_bulk_delete

Deletes multiple rules.

application/json

Body Required

A JSON array of id or rule_id fields of the rules you want to delete.

  • id string(uuid)

    A universally unique identifier

  • rule_id string

    Could be any string, not necessarily a UUID

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

  • 400 application/json

    Invalid input data response

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/detection_engine/rules/_bulk_delete
curl \
 --request POST https://localhost:5601/api/detection_engine/rules/_bulk_delete \
 --header "Content-Type: application/json" \
 --data '[{"id":"string","rule_id":"string"}]'
Request examples
[
  {
    "id": "string",
    "rule_id": "string"
  }
]
Response examples (200)
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "ecs": true,
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "created_at": "2025-05-04T09:42:00+00:00",
    "created_by": "string",
    "execution_summary": {
      "last_execution": {
        "date": "2025-05-04T09:42:00+00:00",
        "message": "string",
        "metrics": {
          "execution_gap_duration_s": 42,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_enrichment_duration_ms": 42,
          "total_indexing_duration_ms": 42,
          "total_search_duration_ms": 42
        },
        "status": "going to run",
        "status_order": 42
      }
    },
    "id": "string",
    "immutable": true,
    "revision": 42,
    "rule_id": "string",
    "rule_source": {
      "is_customized": true,
      "type": "external"
    },
    "updated_at": "2025-05-04T09:42:00+00:00",
    "updated_by": "string",
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}








Patch multiple detection rules Deprecated

PATCH /api/detection_engine/rules/_bulk_update

Update specific fields of existing detection rules using the rule_id or id field.

application/json

Body object Required

A JSON array of rules, where each rule contains the required fields.

Any of:
  • actions array[object]
    Hide actions attributes Show actions attributes object
    • action_type_id string Required

      The action type used for sending notifications.

    • Additional properties are allowed.

    • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

      Additional properties are allowed.

      Hide frequency attributes Show frequency attributes object
      • notifyWhen string Required

        The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

        Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

      • summary boolean Required

        Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

      • throttle string | null Required

        Defines how often rule actions are taken.

        One of:

        Values are no_actions or rule.

    • group string

      Optionally groups actions by use cases. Use default for alert notifications.

    • id string Required

      The connector ID.

    • params object Required

      Object containing the allowed connector fields, which varies according to the connector type.

      Additional properties are allowed.

    • uuid string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • Values are savedObjectConversion or savedObjectImport.

  • author array[string]
  • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

  • Minimum length is 1.

  • enabled boolean

    Determines whether the rule is enabled.

  • exceptions_list array[object]
    Hide exceptions_list attributes Show exceptions_list attributes object
    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • list_id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • namespace_type string Required

      Determines the exceptions validity in rule's Kibana space

      Values are agnostic or single.

    • type string Required

      The exception type

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

  • false_positives array[string]
  • from string(date-math)

    Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

  • id string(uuid)

    A universally unique identifier

  • interval string

    Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

  • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

    const investigationFields = z.object({
      field_names: NonEmptyArray(NonEmptyString),
      override: z.boolean().optional(),
    });
    

    Additional properties are allowed.

    Hide investigation_fields attribute Show investigation_fields attribute object
    • field_names array[string(nonempty)] Required

      A string that does not contain only whitespace characters

      At least 1 element. Minimum length of each is 1.

  • license string

    The rule's license.

  • Minimum value is 1.

  • meta object

    Additional properties are allowed.

  • name string

    Minimum length is 1.

  • Has no effect.

  • note string

    Notes to help investigate alerts produced by the rule.

  • outcome string

    Values are exactMatch, aliasMatch, or conflict.

  • output_index string Deprecated

    (deprecated) Has no effect.

  • references array[string]
  • required_fields array[object]
    Hide required_fields attributes Show required_fields attributes object
    • name string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • type string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • response_actions array[object]
    One of:
    Hide attributes Show attributes
  • risk_score integer

    Risk score (0 to 100)

    Minimum value is 0, maximum value is 100.

  • risk_score_mapping array[object]

    Overrides generated alerts' risk_score with a value from the source event

    Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  • rule_id string

    Could be any string, not necessarily a UUID

  • Sets the source field for the alert's signal.rule.name value

  • setup string
  • severity string

    Severity of the rule

    Values are low, medium, high, or critical.

  • severity_mapping array[object]

    Overrides generated alerts' severity with values from the source event

    Hide severity_mapping attributes Show severity_mapping attributes object
    • field string Required
    • operator string Required

      Value is equals.

    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • value string Required
  • tags array[string]

    String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

  • threat array[object]
    Hide threat attributes Show threat attributes object
    • framework string Required

      Relevant attack framework

    • tactic object Required

      Additional properties are allowed.

      Hide tactic attributes Show tactic attributes object
      • id string Required

        Tactic ID

      • name string Required

        Tactic name

      • reference string Required

        Tactic reference

    • technique array[object]

      Array containing information on the attack techniques (optional)

      Hide technique attributes Show technique attributes object
      • id string Required

        Technique ID

      • name string Required

        Technique name

      • reference string Required

        Technique reference

      • subtechnique array[object]

        Array containing more specific information on the attack technique

        Hide subtechnique attributes Show subtechnique attributes object
        • id string Required

          Subtechnique ID

        • name string Required

          Subtechnique name

        • reference string Required

          Subtechnique reference

  • throttle string | null

    Defines how often rule actions are taken.

    One of:

    Values are no_actions or rule.

  • Timeline template ID

  • Timeline template title

  • Sets the time field used to query indices

  • Disables the fallback to the event's @timestamp field

  • to string
  • version integer

    The rule's version number.

    Minimum value is 1.

  • language string

    Query language to use

    Value is eql.

  • query string

    EQL query to execute

  • type string

    Rule type

    Value is eql.

  • Additional properties are allowed.

    Hide alert_suppression attributes Show alert_suppression attributes object
    • duration object

      Additional properties are allowed.

      Hide duration attributes Show duration attributes object
      • unit string Required

        Values are s, m, or h.

      • value integer Required

        Minimum value is 1.

    • group_by array[string] Required

      At least 1 but not more than 3 elements.

    • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

      Values are doNotSuppress or suppress.

  • filters array
  • index array[string]
  • Sets a secondary field for sorting events

  • Contains the event timestamp used for sorting a sequence of events

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

PATCH /api/detection_engine/rules/_bulk_update
curl \
 --request PATCH https://localhost:5601/api/detection_engine/rules/_bulk_update \
 --header "Content-Type: application/json" \
 --data '[{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","id":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string"}]'
Request examples
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "id": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_id": "string",
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]
Response examples (200)
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "ecs": true,
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "created_at": "2025-05-04T09:42:00+00:00",
    "created_by": "string",
    "execution_summary": {
      "last_execution": {
        "date": "2025-05-04T09:42:00+00:00",
        "message": "string",
        "metrics": {
          "execution_gap_duration_s": 42,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_enrichment_duration_ms": 42,
          "total_indexing_duration_ms": 42,
          "total_search_duration_ms": 42
        },
        "status": "going to run",
        "status_order": 42
      }
    },
    "id": "string",
    "immutable": true,
    "revision": 42,
    "rule_id": "string",
    "rule_source": {
      "is_customized": true,
      "type": "external"
    },
    "updated_at": "2025-05-04T09:42:00+00:00",
    "updated_by": "string",
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]

Export detection rules

POST /api/detection_engine/rules/_export

Export detection rules to an .ndjson file. The following configuration items are also included in the .ndjson file:

  • Actions
  • Exception lists

You cannot export prebuilt rules.

Query parameters

  • Determines whether a summary of the exported rules is returned.

    Default value is false.

  • File name for saving the exported rules.

    Default value is export.ndjson.

application/json

Body

  • objects array[object] Required

    Array of rule_id fields. Exports all rules when unspecified.

    Hide objects attribute Show objects attribute object
    • rule_id string Required

      Could be any string, not necessarily a UUID

Responses

  • 200 application/ndjson

    Indicates a successful call.

    An .ndjson file containing the returned rules.

POST /api/detection_engine/rules/_export
curl \
 --request POST https://localhost:5601/api/detection_engine/rules/_export \
 --header "Content-Type: application/json" \
 --data '{"objects":[{"rule_id":"string"}]}'
Request examples
{
  "objects": [
    {
      "rule_id": "string"
    }
  ]
}
Response examples (200)
@file












Retrieve the status of prebuilt detection rules and Timelines

GET /api/detection_engine/rules/prepackaged/_status

Retrieve the status of all Elastic prebuilt detection rules and Timelines.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
    • rules_custom_installed integer Required

      The total number of custom rules

      Minimum value is 0.

    • rules_installed integer Required

      The total number of installed prebuilt rules

      Minimum value is 0.

    • rules_not_installed integer Required

      The total number of available prebuilt rules that are not installed

      Minimum value is 0.

    • rules_not_updated integer Required

      The total number of outdated prebuilt rules

      Minimum value is 0.

    • timelines_installed integer Required

      The total number of installed prebuilt timelines

      Minimum value is 0.

    • timelines_not_installed integer Required

      The total number of available prebuilt timelines that are not installed

      Minimum value is 0.

    • timelines_not_updated integer Required

      The total number of outdated prebuilt timelines

      Minimum value is 0.

GET /api/detection_engine/rules/prepackaged/_status
curl \
 --request GET https://localhost:5601/api/detection_engine/rules/prepackaged/_status
Response examples (200)
{
  "rules_custom_installed": 42,
  "rules_installed": 42,
  "rules_not_installed": 42,
  "rules_not_updated": 42,
  "timelines_installed": 42,
  "timelines_not_installed": 42,
  "timelines_not_updated": 42
}
















Clean up detection alert migrations Deprecated

DELETE /api/detection_engine/signals/migration

Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted.

While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation.

application/json

Body Required

Array of migration_ids to cleanup

  • migration_ids array[string] Required

    Array of migration_ids to cleanup.

    At least 1 element.

Responses

DELETE /api/detection_engine/signals/migration
curl \
 --request DELETE https://localhost:5601/api/detection_engine/signals/migration \
 --header "Content-Type: application/json" \
 --data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'
Request example
{
  "migration_ids": [
    "924f7c50-505f-11eb-ae0a-3fa2e626a51d"
  ]
}
Response examples (200)
{
  "migrations": [
    {
      "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "status": "success",
      "updated": "2021-01-06T22:05:56.859Z",
      "version": 16,
      "sourceIndex": ".siem-signals-default-000002",
      "destinationIndex": ".siem-signals-default-000002-r000016"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}

Retrieve the status of detection alert migrations Deprecated

GET /api/detection_engine/signals/migration_status

Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices.

Query parameters

  • from string(date-math) Required

    Maximum age of qualifying detection alerts

Responses

GET /api/detection_engine/signals/migration_status
curl \
 --request GET https://localhost:5601/api/detection_engine/signals/migration_status?from=now-30d
Response examples (200)
{
  "indices": [
    {
      "index": ".siem-signals-default-000002",
      "version": 15,
      "migrations": [
        {
          "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
          "status": "pending",
          "updated": "2021-01-06T20:41:37.173Z",
          "version": 16
        }
      ],
      "is_outdated": true,
      "signal_versions": [
        {
          "count": 100,
          "version": 15
        },
        {
          "count": 87,
          "version": 16
        }
      ]
    },
    {
      "index": ".siem-signals-default-000003",
      "version": 16,
      "migrations": [],
      "is_outdated": false,
      "signal_versions": [
        {
          "count": 54,
          "version": 16
        }
      ]
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}
















Security endpoint exceptions

Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.













Create an endpoint exception list item

POST /api/endpoint_list/items

Create an endpoint exception list item, and associate it with the endpoint exception list.

application/json

Body Required

Exception list item's properties

  • comments array[object]

    Array of comment fields:

    • comment (string): Comments about the exception item.
    Hide comments attributes Show comments attributes object
    • comment string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updated_at string(date-time)

      Autogenerated date of last object update.

    • updated_by string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • description string Required

    Describes the exception list.

  • entries array[object] Required
    Any of:
    Hide attributes Show attributes
    • field string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • operator string Required

      Values are excluded or included.

    • type string Required Discriminator

      Value is match.

    • value string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • item_id string(nonempty)

    Human readable string identifier, e.g. trusted-linux-processes

    Minimum length is 1.

  • meta object

    Additional properties are allowed.

  • name string(nonempty) Required

    Exception list name.

    Minimum length is 1.

  • os_types array[string]

    Use this field to specify the operating system.

    Values are linux, macos, or windows.

  • tags array[string(nonempty)]

    String array containing words and phrases to help categorize exception items.

    Minimum length of each is 1.

  • type string Required

    Value is simple.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows.

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

  • 400 application/json

    Invalid input data

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 409 application/json

    Endpoint list item already exists

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
POST /api/endpoint_list/items
curl \
 --request POST https://localhost:5601/api/endpoint_list/items \
 --header "Content-Type: application/json" \
 --data '{"comments":[{"comment":"string","created_at":"2025-05-04T09:42:00+00:00","created_by":"string","id":"string","updated_at":"2025-05-04T09:42:00+00:00","updated_by":"string"}],"description":"string","entries":[{"field":"string","operator":"excluded","type":"match","value":"string"}],"item_id":"simple_list_item","meta":{},"name":"string","os_types":["linux"],"tags":["string"],"type":"simple"}'
Request examples
{
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "item_id": "simple_list_item",
  "meta": {},
  "name": "string",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "type": "simple"
}
Response examples (200)
{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2025-05-04T09:42:00+00:00",
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "meta": {},
  "name": "string",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (409)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}

























Download a file

GET /api/endpoint/action/{action_id}/file/{file_id}/download

Download a file from an endpoint.

Path parameters

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

GET /api/endpoint/action/{action_id}/file/{file_id}/download
curl \
 --request GET https://localhost:5601/api/endpoint/action/{action_id}/file/{file_id}/download
Response examples (200)
{}




































Release an isolated endpoint

POST /api/endpoint/action/unisolate

Release an isolated endpoint, allowing it to rejoin a network.

application/json

Body Required

  • The host agent type (optional). Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • Optional parameters object

    Additional properties are allowed.

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

POST /api/endpoint/action/unisolate
curl \
 --request POST https://localhost:5601/api/endpoint/action/unisolate \
 --header "Content-Type: application/json" \
 --data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{}}'
Request examples
{
  "agent_type": "endpoint",
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "string"
  ],
  "comment": "string",
  "endpoint_ids": [
    "string"
  ],
  "parameters": {}
}
Response examples (200)
{}












Get a policy response

GET /api/endpoint/policy_response

Query parameters

  • query object Required

    Additional properties are allowed.

    Hide query attribute Show query attribute object

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

GET /api/endpoint/policy_response
curl \
 --request GET https://localhost:5601/api/endpoint/policy_response?query=%7B%7D
Response examples (200)
{}

























List asset criticality records

GET /api/asset_criticality/list

List asset criticality records, paging, sorting and filtering as needed.

Query parameters

  • The field to sort by.

    Values are id_value, id_field, criticality_level, or \@timestamp.

  • The order to sort by.

    Values are asc or desc.

  • page integer

    The page number to return.

    Minimum value is 1.

  • per_page integer

    The number of records to return per page.

    Minimum value is 1, maximum value is 1000.

  • kuery string

    The kuery to filter by.

Responses

  • 200 application/json

    Successfully retrieved asset criticality records

    Hide response attributes Show response attributes object
    • page integer Required

      Minimum value is 1.

    • per_page integer Required

      Minimum value is 1, maximum value is 1000.

    • records array[object] Required
      Hide records attributes Show records attributes object

      The deleted record if it existed.

      • id_field string Required

        Values are host.name, user.name, service.name, or related.entity.

      • id_value string Required

        The ID value of the asset.

      • criticality_level string Required

        The criticality level of the asset.

        Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • asset object Required

        Additional properties are allowed.

        Hide asset attribute Show asset attribute object
        • The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • host object

        Additional properties are allowed.

        Hide host attributes Show host attributes object
        • asset object

          Additional properties are allowed.

          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • service object

        Additional properties are allowed.

        Hide service attributes Show service attributes object
        • asset object

          Additional properties are allowed.

          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • user object

        Additional properties are allowed.

        Hide user attributes Show user attributes object
        • asset object

          Additional properties are allowed.

          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • @timestamp string(date-time) Required

        The time the record was created or updated.

    • total integer Required

      Minimum value is 0.

GET /api/asset_criticality/list
curl \
 --request GET https://localhost:5601/api/asset_criticality/list
Response examples (200)
{
  "page": 1,
  "total": 2,
  "records": [
    {
      "host": {
        "name": "my_other_host",
        "asset": {
          "criticality": "medium_impact"
        }
      },
      "asset": {
        "criticality": "medium_impact"
      },
      "id_field": "host.name",
      "id_value": "my_other_host",
      "@timestamp": "2024-08-02T14:40:35.705Z",
      "criticality_level": "medium_impact"
    },
    {
      "host": {
        "name": "my_host",
        "asset": {
          "criticality": "high_impact"
        }
      },
      "asset": {
        "criticality": "high_impact"
      },
      "id_field": "host.name",
      "id_value": "my_host",
      "@timestamp": "2024-08-02T11:15:34.290Z",
      "criticality_level": "high_impact"
    }
  ],
  "per_page": 10
}