Create an agent binary download source

POST /api/fleet/agent_download_sources
Api key auth Basic auth

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_download_sources 
curl \
 --request POST 'http://localhost:5622/api/fleet/agent_download_sources' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string","secrets":{"ssl":{"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string"}}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "host": "https://example.com",
  "id": "string",
  "is_default": false,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string"
  }
}
Response examples (200) 
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "key": {
          "id": "string"
        }
      }
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string"
    }
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}
Api key auth Basic auth

Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].

Query parameters

  • format string

    Values are simplified or legacy.

Responses

GET /api/fleet/agent_policies/{agentPolicyId} 
curl \
 --request GET 'http://localhost:5622/api/fleet/agent_policies/{agentPolicyId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Install a package by upload

POST /api/fleet/epm/packages
Api key auth Basic auth

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

application/gzip; application/zip

Body

string(binary) string(binary)

Responses

POST /api/fleet/epm/packages 
curl \
 --request POST 'http://localhost:5622/api/fleet/epm/packages' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/gzip; application/zip" \
 --header "kbn-xsrf: true" \
 --data-binary '@file'

Get a package signature verification key ID

GET /api/fleet/epm/verification_key_id
Api key auth Basic auth

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

GET /api/fleet/epm/verification_key_id 
curl \
 --request GET 'http://localhost:5622/api/fleet/epm/verification_key_id' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Check permissions

GET /api/fleet/check-permissions
Api key auth Basic auth

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • error string

      Values are MISSING_SECURITY, MISSING_PRIVILEGES, or MISSING_FLEET_SERVER_SETUP_PRIVILEGES.

    • success boolean Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/check-permissions 
curl \
 --request GET 'http://localhost:5622/api/fleet/check-permissions' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "error": "MISSING_SECURITY",
  "success": true
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Fleet outputs

Update a proxy

PUT /api/fleet/proxies/{itemId}
Api key auth Basic auth

Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/proxies/{itemId} 
curl \
 --request PUT 'http://localhost:5622/api/fleet/proxies/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","name":"string","proxy_headers":{},"url":"string"}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "certificate": "string",
  "certificate_authorities": "string",
  "certificate_key": "string",
  "name": "string",
  "proxy_headers": {},
  "url": "string"
}
Response examples (200) 
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Fleet Server hosts

Delete a Fleet Server host

DELETE /api/fleet/fleet_server_hosts/{itemId}
Api key auth Basic auth

Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

DELETE /api/fleet/fleet_server_hosts/{itemId} 
curl \
 --request DELETE 'http://localhost:5622/api/fleet/fleet_server_hosts/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"
Response examples (200) 
{
  "id": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Machine learning

Machine learning

Roles

Manage the roles that grant Elasticsearch and Kibana privileges.

Kibana role management

Delete a role

DELETE /api/security/role/{name}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • name string Required

    Minimum length is 1.

Responses

  • 204

    Indicates a successful call.

DELETE /api/security/role/{name} 
curl \
 --request DELETE 'http://localhost:5622/api/security/role/{name}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Security detections

Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the Alerts page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.

If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.

If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.

Clean up detection alert migrations Deprecated

DELETE /api/detection_engine/signals/migration
Api key auth Basic auth

Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted.

While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation.

application/json

Body Required

Array of migration_ids to cleanup

  • migration_ids array[string] Required

    Array of migration_ids to cleanup.

    At least 1 element.

Responses

DELETE /api/detection_engine/signals/migration 
curl \
 --request DELETE 'http://localhost:5622/api/detection_engine/signals/migration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'
Request example 
{
  "migration_ids": [
    "924f7c50-505f-11eb-ae0a-3fa2e626a51d"
  ]
}
Response examples (200) 
{
  "migrations": [
    {
      "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "status": "success",
      "updated": "2021-01-06T22:05:56.859Z",
      "version": 16,
      "sourceIndex": ".siem-signals-default-000002",
      "destinationIndex": ".siem-signals-default-000002-r000016"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

Create an endpoint exception list

POST /api/endpoint_list
Api key auth Basic auth

Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.

Responses

  • 200 application/json

    Successful response

    One of:
    Security_Endpoint_Exceptions_API_ExceptionList object object-2 object
    Hide attributes Show attributes
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • id string(nonempty) Required

      Exception list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the list container.

      Additional properties are allowed.

    • name string Required

      The name of the exception list.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system. Only enter one value.

      Values are linux, macos, or windows.

    • tags array[string]

      String array containing words and phrases to help categorize exception containers.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      The type of exception list to be created. Different list types may denote where they can be utilized.

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version, automatically increasd on updates.

      Minimum value is 1.
  • 400 application/json

    Invalid input data

    One of:
    Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
POST /api/endpoint_list 
curl \
 --request POST 'http://localhost:5622/api/endpoint_list' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "_version": "string",
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "description": "This list tracks allowlisted values.",
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "immutable": true,
  "list_id": "simple_list",
  "meta": {},
  "name": "My exception list",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "version": 42
}
{}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

List Entity Store Entities

GET /api/entity_store/entities/list
Api key auth Basic auth

List entities records, paging, sorting and filtering as needed.

Query parameters

Responses

  • 200 application/json

    Entities returned successfully

    Hide response attributes Show response attributes object
    • inspect object
      Hide inspect attributes Show inspect attributes object
    • page integer Required

      Minimum value is 1.

    • per_page integer Required

      Minimum value is 1, maximum value is 1000.

    • records array[object] Required
      One of:
      Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object
      Hide attributes Show attributes
      • @timestamp string(date-time)
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • entity object Required
        Hide entity attributes Show entity attributes object
      • event object
        Hide event attribute Show event attribute object
      • user object Required
        Hide user attributes Show user attributes object
        • domain array[string]
        • email array[string]
        • full_name array[string]
        • hash array[string]
        • id array[string]
        • name string Required
        • risk object
          Hide risk attributes Show risk attributes object
          • @timestamp string(date-time) Required

            The time at which the risk score was calculated.

          • calculated_level string Required

            Lexical description of the entity's risk.

            Values are Unknown, Low, Moderate, High, or Critical.

          • calculated_score number(double) Required

            The raw numeric value of the given entity's risk score.

          • calculated_score_norm number(double) Required

            The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.

            Minimum value is 0, maximum value is 100.

          • category_1_count number(integer) Required

            The number of risk input documents that contributed to the Category 1 score (category_1_score).

          • category_1_score number(double) Required

            The contribution of Category 1 to the overall risk score (calculated_score). Category 1 contains Detection Engine Alerts.

          • category_2_count number(integer)
          • category_2_score number(double)
          • criticality_level string

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

          • criticality_modifier number(double)
          • id_field string Required

            The identifier field defining this risk score. Coupled with id_value, uniquely identifies the entity being scored.

          • id_value string Required

            The identifier value defining this risk score. Coupled with id_field, uniquely identifies the entity being scored.

          • inputs array[object] Required

            A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.

            A generic representation of a document contributing to a Risk Score.

            Hide inputs attributes Show inputs attributes object
            • category string Required

              The risk category of the risk input document.

            • contribution_score number(double)
            • description string Required

              A human-readable description of the risk input document.

            • id string Required

              The unique identifier (_id) of the original source document

            • index string Required

              The unique index (_index) of the original source document

            • risk_score number(double)

              The weighted risk score of the risk input document.

              Minimum value is 0, maximum value is 100.

            • timestamp string

              The @timestamp of the risk input document.

          • notes array[string] Required
        • roles array[string]
    • total integer Required

      Minimum value is 0.
GET /api/entity_store/entities/list 
curl \
 --request GET 'http://localhost:5622/api/entity_store/entities/list?entity_types=user' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "inspect": {
    "dsl": [
      "string"
    ],
    "response": [
      "string"
    ]
  },
  "page": 42,
  "per_page": 42,
  "records": [
    {
      "@timestamp": "2025-05-04T09:42:00Z",
      "asset": {
        "criticality": "low_impact"
      },
      "entity": {
        "name": "string",
        "source": "string"
      },
      "event": {
        "ingested": "2025-05-04T09:42:00Z"
      },
      "user": {
        "domain": [
          "string"
        ],
        "email": [
          "string"
        ],
        "full_name": [
          "string"
        ],
        "hash": [
          "string"
        ],
        "id": [
          "string"
        ],
        "name": "string",
        "risk": {
          "@timestamp": "2017-07-21T17:32:28Z",
          "calculated_level": "Critical",
          "calculated_score": 42.0,
          "calculated_score_norm": 42.0,
          "category_1_count": 42.0,
          "category_1_score": 42.0,
          "category_2_count": 42.0,
          "category_2_score": 42.0,
          "criticality_level": "low_impact",
          "criticality_modifier": 42.0,
          "id_field": "host.name",
          "id_value": "example.host",
          "inputs": [
            {
              "category": "category_1",
              "contribution_score": 42.0,
              "description": "Generated from Detection Engine Rule: Malware Prevention Alert",
              "id": "91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c",
              "index": ".internal.alerts-security.alerts-default-000001",
              "risk_score": 42.0,
              "timestamp": "2017-07-21T17:32:28Z"
            }
          ],
          "notes": [
            "string"
          ]
        },
        "roles": [
          "string"
        ]
      }
    }
  ],
  "total": 42
}

Get value lists

GET /api/lists/_find
Api key auth Basic auth

Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page.

Query parameters

  • page integer

    The page number to return.

  • per_page integer

    The number of value lists to return per page.

  • sort_field string(nonempty)

    Determines which field is used to sort the results.

    Minimum length is 1.

  • sort_order string

    Determines the sort order, which can be desc or asc

    Values are desc or asc.

  • cursor string(nonempty)

    Returns the lists that come after the last lists returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all lists are sorted and returned correctly.

    Minimum length is 1.

  • filter string

    Filters the returned results according to the value of the specified field, using the : syntax.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • cursor string(nonempty) Required

      Minimum length is 1.

    • data array[object] Required
      Hide data attributes Show data attributes object
      • _version string

        The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

      • @timestamp string(date-time)
      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string Required

        Autogenerated value - user that created object.

      • description string(nonempty) Required

        Describes the value list.

        Minimum length is 1.

      • deserializer string

        Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

        • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
        • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
        • {{{gte}}},{{{lte}}} - Date range values.
      • id string(nonempty) Required

        Value list's identifier.

        Minimum length is 1.

      • immutable boolean Required
      • meta object

        Placeholder for metadata about the value list.

        Additional properties are allowed.

      • name string(nonempty) Required

        Value list's name.

        Minimum length is 1.

      • serializer string

        Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

        • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
        • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
      • tie_breaker_id string Required

        Field used in search to ensure all containers are sorted and returned correctly.

      • type string Required

        Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

        • keyword: Many ECS fields are Elasticsearch keywords
        • ip: IP addresses
        • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

        Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

      • updated_at string(date-time) Required

        Autogenerated date of last object update.

      • updated_by string Required

        Autogenerated value - user that last updated object.

      • version integer Required

        The document version number.

        Minimum value is 1.

    • page integer Required

      Minimum value is 0.

    • per_page integer Required

      Minimum value is 0.

    • total integer Required

      Minimum value is 0.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
GET /api/lists/_find 
curl \
 --request GET 'http://localhost:5622/api/lists/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "id": "ip_list",
      "name": "Simple list with an ip",
      "type": "ip",
      "version": 1,
      "_version": "WzAsMV0=",
      "immutable": false,
      "@timestamp": "2025-01-08T04:47:34.273Z\n",
      "created_at": "2025-01-08T04:47:34.273Z\n",
      "created_by": "elastic",
      "updated_at": "2025-01-08T04:47:34.273Z\n",
      "updated_by": "elastic",
      "description": "This list describes bad internet ip",
      "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
    }
  ],
  "page": 1,
  "total": 1,
  "cursor": "WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d",
  "per_page": 20
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: page: Expected number, received nan",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}