Authentication

The API accepts 2 different authentication methods:

Api key auth (http_api_key)

These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey

Basic auth (http)

Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password (separated by a : colon).

Example: send a Authorization: Basic aGVsbG86aGVsbG8= HTTP header with your requests to authenticate with the API.



Get the alerting framework health

GET /api/alerting/_health

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.

      Additional properties are allowed.

      Hide alerting_framework_health attributes Show alerting_framework_health attributes object
      • The timestamp and status of the rule decryption.

        Additional properties are allowed.

        Hide decryption_health attributes Show decryption_health attributes object
      • The timestamp and status of the rule run.

        Additional properties are allowed.

        Hide execution_health attributes Show execution_health attributes object
      • The timestamp and status of the rule reading events.

        Additional properties are allowed.

        Hide read_health attributes Show read_health attributes object
    • If false, the encrypted saved object plugin does not have a permanent encryption key.

    • If false, security is enabled but TLS is not.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/_health
curl \
 --request GET https://localhost:5601/api/alerting/_health
Response examples (200)
{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get the rule types

GET /api/alerting/rule_types

If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • action_groups array[object]

      An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.

      Hide action_groups attributes Show action_groups attributes object
    • A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.

      Additional properties are allowed.

      Hide action_variables attributes Show action_variables attributes object
    • alerts object

      Details for writing alerts as data documents for this rule type.

      Additional properties are allowed.

      Hide alerts attributes Show alerts attributes object
      • context string

        The namespace for this rule type.

        Values are ml.anomaly-detection, observability.apm, observability.logs, observability.metrics, observability.slo, observability.threshold, observability.uptime, security, or stack.

      • dynamic string

        Indicates whether new fields are added dynamically.

        Values are false, runtime, strict, or true.

      • Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.

      • mappings object

        Additional properties are allowed.

        Hide mappings attribute Show mappings attribute object
        • fieldMap object

          Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.

          Hide fieldMap attribute Show fieldMap attribute object
          • * object Additional properties

            Additional properties are allowed.

            Hide * attributes Show * attributes object
            • array boolean

              Indicates whether the field is an array.

            • dynamic boolean

              Indicates whether it is a dynamic field mapping.

            • format string

              Indicates the format of the field. For example, if the type is date_range, the format can be epoch_millis||strict_date_optional_time.

            • Specifies the maximum length of a string field. Longer strings are not indexed or stored.

            • index boolean

              Indicates whether field values are indexed.

            • path string

              TBD

            • Details about the object properties. This property is applicable when type is object.

              Hide properties attribute Show properties attribute object
              • * object Additional properties

                Additional properties are allowed.

                Hide * attribute Show * attribute object
                • type string

                  The data type for each object property.

            • required boolean

              Indicates whether the field is required.

            • The scaling factor to use when encoding values. This property is applicable when type is scaled_float. Values will be multiplied by this factor at index time and rounded to the closest long value.

            • type string

              Specifies the data type for the field.

      • A secondary alias. It is typically used to support the signals alias for detection rules.

      • Indicates whether the rule should write out alerts as data.

      • useEcs boolean

        Indicates whether to include the ECS component template for the alerts.

      • Indicates whether to include the legacy component template for the alerts.

        Default value is false.

    • The list of the plugins IDs that have access to the rule type.

      Additional properties are allowed.

      Hide authorized_consumers attributes Show authorized_consumers attributes object
      • alerts object

        Additional properties are allowed.

        Hide alerts attributes Show alerts attributes object
      • apm object

        Additional properties are allowed.

        Hide apm attributes Show apm attributes object
      • discover object

        Additional properties are allowed.

        Hide discover attributes Show discover attributes object
      • Additional properties are allowed.

        Hide infrastructure attributes Show infrastructure attributes object
      • logs object

        Additional properties are allowed.

        Hide logs attributes Show logs attributes object
      • ml object

        Additional properties are allowed.

        Hide ml attributes Show ml attributes object
      • Additional properties are allowed.

        Hide monitoring attributes Show monitoring attributes object
      • siem object

        Additional properties are allowed.

        Hide siem attributes Show siem attributes object
      • slo object

        Additional properties are allowed.

        Hide slo attributes Show slo attributes object
      • Additional properties are allowed.

        Hide stackAlerts attributes Show stackAlerts attributes object
      • uptime object

        Additional properties are allowed.

        Hide uptime attributes Show uptime attributes object
    • category string

      The rule category, which is used by features such as category-specific maintenance windows.

      Values are management, observability, or securitySolution.

    • The default identifier for the rule type group.

    • Indicates whether the rule passes context variables to its recovery action.

    • Indicates whether the rule type is enabled or disabled based on the subscription.

    • Indicates whether the rule type has custom mappings for the alert data.

    • id string

      The unique identifier for the rule type.

    • Indicates whether the rule type is exportable in Stack Management > Saved Objects.

    • The subscriptions required to use the rule type.

    • name string

      The descriptive name of the rule type.

    • producer string

      An identifier for the application that produces this rule type.

    • An action group to use when an alert goes from an active state to an inactive one.

      Additional properties are allowed.

      Hide recovery_action_group attributes Show recovery_action_group attributes object
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/rule_types
curl \
 --request GET https://localhost:5601/api/alerting/rule_types
Response examples (200)
[
  {
    "id": "xpack.ml.anomaly_detection_alert",
    "name": "Anomaly detection alert",
    "alerts": {
      "context": "ml.anomaly-detection",
      "mappings": {
        "fieldMap": {
          "kibana.alert.job_id": {
            "type": "keyword",
            "array": false,
            "required": true
          },
          "kibana.alert.is_interim": {
            "type": "boolean",
            "array": false,
            "required": false
          },
          "kibana.alert.top_records": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "actual": {
                "type": "double"
              },
              "job_id": {
                "type": "keyword"
              },
              "typical": {
                "type": "double"
              },
              "function": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "field_name": {
                "type": "keyword"
              },
              "is_interim": {
                "type": "boolean"
              },
              "record_score": {
                "type": "double"
              },
              "by_field_name": {
                "type": "keyword"
              },
              "by_field_value": {
                "type": "keyword"
              },
              "detector_index": {
                "type": "integer"
              },
              "over_field_name": {
                "type": "keyword"
              },
              "over_field_value": {
                "type": "keyword"
              },
              "initial_record_score": {
                "type": "double"
              },
              "partition_field_name": {
                "type": "keyword"
              },
              "partition_field_value": {
                "type": "keyword"
              }
            }
          },
          "kibana.alert.anomaly_score": {
            "type": "double",
            "array": false,
            "required": false
          },
          "kibana.alert.top_influencers": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "job_id": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "is_interim": {
                "type": "boolean"
              },
              "influencer_score": {
                "type": "double"
              },
              "influencer_field_name": {
                "type": "keyword"
              },
              "influencer_field_value": {
                "type": "keyword"
              },
              "initial_influencer_score": {
                "type": "double"
              }
            }
          },
          "kibana.alert.anomaly_timestamp": {
            "type": "date",
            "array": false,
            "required": false
          }
        }
      },
      "shouldWrite": true
    },
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_score_match",
        "name": "Anomaly score matched the condition"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "timestamp",
          "description": "The bucket timestamp of the anomaly"
        },
        {
          "name": "timestampIso8601",
          "description": "The bucket time of the anomaly in ISO8601 format"
        },
        {
          "name": "jobIds",
          "description": "List of job IDs that triggered the alert"
        },
        {
          "name": "message",
          "description": "Alert info message"
        },
        {
          "name": "isInterim",
          "description": "Indicate if top hits contain interim results"
        },
        {
          "name": "score",
          "description": "Anomaly score at the time of the notification action"
        },
        {
          "name": "topRecords",
          "description": "Top records"
        },
        {
          "name": "topInfluencers",
          "description": "Top influencers"
        },
        {
          "name": "anomalyExplorerUrl",
          "description": "URL to open in the Anomaly Explorer",
          "useWithTripleBracesInTemplates": true
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": true,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_score_match",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  },
  {
    "id": "xpack.ml.anomaly_detection_jobs_health",
    "name": "Anomaly detection jobs health",
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_detection_realtime_issue",
        "name": "Issue detected"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "results",
          "description": "Results of the rule execution"
        },
        {
          "name": "message",
          "description": "Alert info message"
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": false,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_detection_realtime_issue",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Create a rule

POST /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json

Body

  • actions array[object]

    Default value is [] (empty).

    Hide actions attributes Show actions attributes object
    • Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.

      Additional properties are NOT allowed.

      Hide alerts_filter attributes Show alerts_filter attributes object
      • query object

        Additional properties are NOT allowed.

        Hide query attributes Show query attributes object
        • dsl string

          A filter written in Elasticsearch Query Domain Specific Language (DSL).

        • filters array[object] Required

          A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

          Hide filters attributes Show filters attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              A filter can be either specific to an application context or applied globally.

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

          • query object

            Additional properties are allowed.

        • kql string Required

          A filter written in Kibana Query Language (KQL).

      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide timeframe attributes Show timeframe attributes object
        • days array[integer] Required

          Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

          Values are 1, 2, 3, 4, 5, 6, or 7.

        • hours object Required

          Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.

          Additional properties are NOT allowed.

          Hide hours attributes Show hours attributes object
          • end string Required

            The end of the time frame in 24-hour notation (hh:mm).

          • start string Required

            The start of the time frame in 24-hour notation (hh:mm).

        • timezone string Required

          The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

    • Additional properties are NOT allowed.

      Hide frequency attributes Show frequency attributes object
      • notify_when string Required

        Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

        Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

      • summary boolean Required

        Indicates whether the action is a summary.

      • throttle string | null Required

        The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • group string

      The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

    • id string Required

      The identifier for the connector saved object.

    • params object

      The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

      Default value is {} (empty). Additional properties are allowed.

    • Indicates whether to use alert data as a template.

    • uuid string

      A universally unique identifier (UUID) for the action.

  • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

    Additional properties are NOT allowed.

    Hide alert_delay attribute Show alert_delay attribute object
    • active number Required

      The number of consecutive runs that must meet the rule conditions.

  • consumer string Required

    The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

  • enabled boolean

    Indicates whether you want to run the rule on an interval basis after it is created.

    Default value is true.

  • flapping object | null

    When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

    Additional properties are NOT allowed.

    Hide flapping attributes Show flapping attributes object | null
    • look_back_window number Required

      The minimum number of runs in which the threshold must be met.

      Minimum value is 2, maximum value is 20.

    • The minimum number of times an alert must switch states in the look back window.

      Minimum value is 2, maximum value is 20.

  • name string Required

    The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.

  • notify_when string | null

    Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • rule_type_id string Required

    The rule type identifier.

  • schedule object Required

    The check interval, which specifies how frequently the rule conditions are checked.

    Additional properties are NOT allowed.

    Hide schedule attribute Show schedule attribute object
    • interval string Required

      The interval is specified in seconds, minutes, hours, or days.

  • tags array[string]

    The tags for the rule.

    Default value is [] (empty).

  • throttle string | null

    Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

  • params object

    The parameters for the rule.

    Any of:
    Hide attributes Show attributes

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • Additional properties are allowed.

    • Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • Total number of alerts created during last rule run.

            • Total number of alerts detected during last rule run.

            • Total time spent indexing documents during last rule run in milliseconds.

            • Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • Relative URL to view rule in the app.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates that the rule id is already in use.

POST /api/alerting/rule/{id}
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'
Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.
{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.
{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Kibana query language (KQL).
{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}
Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.
{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}
Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.
{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).
{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).
{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}
The response for successfully creating an index threshold rule.
{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}
The response for successfully creating a tracking containment rule.
{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Delete a rule

DELETE /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id}
curl \
 --request DELETE https://localhost:5601/api/alerting/rule/{id} \
 --header "kbn-xsrf: true"

















































Get environments for service

GET /api/apm/settings/agent-configuration/environments

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • environments array[object]

      Service environment list

      Hide environments attributes Show environments attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/environments
curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/environments \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "environments": [
    {
      "alreadyConfigured": true,
      "name": "ALL_OPTION_VALUE"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}






















APM server schema

Create APM fleet server schema.










Upload source map

POST /api/apm/sourcemaps

Upload a source map for a specific service and version.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

multipart/form-data

Body Required

Responses

POST /api/apm/sourcemaps
curl \
 --request POST https://localhost:5601/api/apm/sourcemaps \
 --header "Content-Type: multipart/form-data" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --form "bundle_filepath=string" \
 --form "service_name=string" \
 --form "service_version=string" \
 --form "sourcemap=@file"
Response examples (200)
{
  "body": "string",
  "compressionAlgorithm": "string",
  "created": "string",
  "decodedSha256": "string",
  "decodedSize": 42.0,
  "encodedSha256": "string",
  "encodedSize": 42.0,
  "encryptionAlgorithm": "string",
  "id": "string",
  "identifier": "string",
  "packageName": "string",
  "relative_url": "string",
  "type": "string"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Delete source map

DELETE /api/apm/sourcemaps/{id}

Delete a previously uploaded source map.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    Source map identifier

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
  • 501 application/json

    Not Implemented response

    Hide response attributes Show response attributes object
DELETE /api/apm/sourcemaps/{id}
curl \
 --request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}





















Get all alerts for a case Technical preview

GET /api/cases/{caseId}/alerts

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/alerts
curl \
 --request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/alerts
Response examples (200)
[
  {
    "id": "f6a7d0c3-d52d-432c-b2e6-447cd7fce04d",
    "index": ".alerts-observability.logs.alerts-default",
    "attached_at": "2022-07-25T20:09:40.963Z"
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

































































Get connector types

GET /api/actions/connector_types

You do not need any Kibana feature privileges to run this API.

Query parameters

  • A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/actions/connector_types
curl \
 --request GET https://localhost:5601/api/actions/connector_types
Response examples (200)
[
  {
    "id": ".gen-ai",
    "name": "OpenAI",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".bedrock",
    "name": "AWS Bedrock",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".gemini",
    "name": "Google Gemini",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity"
    ],
    "minimum_license_required": "enterprise"
  }
]





























Get a dashboard Technical Preview

GET /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Path parameters

  • id string Required

    A unique identifier for the dashboard.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • Show apply selections button in controls.

            Default value is true.

          • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • Ignore global filters in controls.

              Default value is false.

            • Ignore the global query bar in controls.

              Default value is false.

            • Ignore the global time range in controls.

              Default value is false.

            • Ignore validations in controls.

              Default value is false.

          • Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • A short description.

          Default value is empty.

        • A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]
              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • version string
    • meta object Required

      Additional properties are NOT allowed.

      Hide meta attributes Show meta attributes object
GET /api/dashboards/dashboard/{id}
curl \
 --request GET https://localhost:5601/api/dashboards/dashboard/{id}
Response examples (200)
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  },
  "meta": {
    "aliasPurpose": "savedObjectConversion",
    "aliasTargetId": "string",
    "outcome": "exactMatch"
  }
}


























































Update a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • runtimeField object Required

    The runtime field definition object.

    You can update following fields:

    • type
    • script

    Additional properties are allowed.

Responses

  • Indicates a successful call.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
 --request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day \
 --header "Content-Type: application/json" \
 --data '{"runtimeField":{"script":{"source":"emit(doc[\"bar\"].value)"}}}'
Request example
{
  "runtimeField": {
    "script": {
      "source": "emit(doc[\"bar\"].value)"
    }
  }
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}




Get the default data view

GET /api/data_views/default

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views/default
curl \
 --request GET https://localhost:5601/api/data_views/default
Response examples (200)
{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}













Create an agent action

POST /api/fleet/agents/{agentId}/actions

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

  • action object Required

    Any of:
    Hide attribute Show attribute
    • type string Required

      Values are UNENROLL, UPGRADE, or POLICY_REASSIGN.

Responses

POST /api/fleet/agents/{agentId}/actions
curl \
 --request POST https://localhost:5601/api/fleet/agents/{agentId}/actions \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"action":{"type":"UNENROLL"}}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "action": {
    "type": "UNENROLL"
  }
}
Response examples (200)
{
  "item": {
    "agents": [
      "string"
    ],
    "created_at": "string",
    "expiration": "string",
    "id": "string",
    "minimum_execution_duration": 42.0,
    "namespaces": [
      "string"
    ],
    "rollout_duration_seconds": 42.0,
    "sent_at": "string",
    "source_uri": "string",
    "start_time": "string",
    "total": 42.0,
    "type": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}








Unenroll an agent

POST /api/fleet/agents/{agentId}/unenroll

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

POST /api/fleet/agents/{agentId}/unenroll
curl \
 --request POST https://localhost:5601/api/fleet/agents/{agentId}/unenroll \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"revoke":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "revoke": true
}








Cancel an agent action

POST /api/fleet/agents/actions/{actionId}/cancel

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Responses

POST /api/fleet/agents/actions/{actionId}/cancel
curl \
 --request POST https://localhost:5601/api/fleet/agents/actions/{actionId}/cancel \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "item": {
    "agents": [
      "string"
    ],
    "created_at": "string",
    "expiration": "string",
    "id": "string",
    "minimum_execution_duration": 42.0,
    "namespaces": [
      "string"
    ],
    "rollout_duration_seconds": 42.0,
    "sent_at": "string",
    "source_uri": "string",
    "start_time": "string",
    "total": 42.0,
    "type": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk reassign agents

POST /api/fleet/agents/bulk_reassign

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/agents/bulk_reassign
curl \
 --request POST https://localhost:5601/api/fleet/agents/bulk_reassign \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "includeInactive": false,
  "policy_id": "string"
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

































Delete an agent binary download source

DELETE /api/fleet/agent_download_sources/{sourceId}

Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/agent_download_sources/{sourceId}
curl \
 --request DELETE https://localhost:5601/api/fleet/agent_download_sources/{sourceId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}













Get an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}

Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].

Query parameters

  • format string

    Values are simplified or legacy.

Responses

GET /api/fleet/agent_policies/{agentPolicyId}
curl \
 --request GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}
Response examples (200)
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update an agent policy

PUT /api/fleet/agent_policies/{agentPolicyId}

Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body

Responses

PUT /api/fleet/agent_policies/{agentPolicyId}
curl \
 --request PUT https://localhost:5601/api/fleet/agent_policies/{agentPolicyId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"advanced_settings":{},"agent_features":[{"enabled":true,"name":"string"}],"agentless":{"resources":{"requests":{"cpu":"string","memory":"string"}}},"data_output_id":"string","description":"string","download_source_id":"string","fleet_server_host_id":"string","force":true,"global_data_tags":[{"name":"string","value":"string"}],"has_fleet_server":true,"id":"string","inactivity_timeout":1209600,"is_default":true,"is_default_fleet_server":true,"is_managed":true,"is_protected":true,"keep_monitoring_alive":false,"monitoring_diagnostics":{"limit":{"burst":42.0,"interval":"string"},"uploader":{"init_dur":"string","max_dur":"string","max_retries":42.0}},"monitoring_enabled":["logs"],"monitoring_http":{"buffer":{"enabled":false},"enabled":true,"host":"string","port":42.0},"monitoring_output_id":"string","monitoring_pprof_enabled":true,"name":"string","namespace":"string","overrides":{},"required_versions":[{"percentage":42.0,"version":"string"}],"space_ids":["string"],"supports_agentless":false,"unenroll_timeout":42.0}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "advanced_settings": {},
  "agent_features": [
    {
      "enabled": true,
      "name": "string"
    }
  ],
  "agentless": {
    "resources": {
      "requests": {
        "cpu": "string",
        "memory": "string"
      }
    }
  },
  "data_output_id": "string",
  "description": "string",
  "download_source_id": "string",
  "fleet_server_host_id": "string",
  "force": true,
  "global_data_tags": [
    {
      "name": "string",
      "value": "string"
    }
  ],
  "has_fleet_server": true,
  "id": "string",
  "inactivity_timeout": 1209600,
  "is_default": true,
  "is_default_fleet_server": true,
  "is_managed": true,
  "is_protected": true,
  "keep_monitoring_alive": false,
  "monitoring_diagnostics": {
    "limit": {
      "burst": 42.0,
      "interval": "string"
    },
    "uploader": {
      "init_dur": "string",
      "max_dur": "string",
      "max_retries": 42.0
    }
  },
  "monitoring_enabled": [
    "logs"
  ],
  "monitoring_http": {
    "buffer": {
      "enabled": false
    },
    "enabled": true,
    "host": "string",
    "port": 42.0
  },
  "monitoring_output_id": "string",
  "monitoring_pprof_enabled": true,
  "name": "string",
  "namespace": "string",
  "overrides": {},
  "required_versions": [
    {
      "percentage": 42.0,
      "version": "string"
    }
  ],
  "space_ids": [
    "string"
  ],
  "supports_agentless": false,
  "unenroll_timeout": 42.0
}
Response examples (200)
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}


















































Get an agent

GET /api/fleet/agents/{agentId}

Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

Responses

GET /api/fleet/agents/{agentId}
curl \
 --request GET https://localhost:5601/api/fleet/agents/{agentId}
Response examples (200)
{
  "item": {
    "access_api_key": "string",
    "access_api_key_id": "string",
    "active": true,
    "agent": {
      "id": "string",
      "version": "string"
    },
    "audit_unenrolled_reason": "string",
    "components": [
      {
        "id": "string",
        "message": "string",
        "status": "STARTING",
        "type": "string",
        "units": [
          {
            "id": "string",
            "message": "string",
            "payload": {},
            "status": "STARTING",
            "type": "input"
          }
        ]
      }
    ],
    "default_api_key": "string",
    "default_api_key_history": [
      {
        "id": "string",
        "retired_at": "string"
      }
    ],
    "default_api_key_id": "string",
    "enrolled_at": "string",
    "id": "string",
    "last_checkin": "string",
    "last_checkin_message": "string",
    "last_checkin_status": "error",
    "local_metadata": {},
    "metrics": {
      "cpu_avg": 42.0,
      "memory_size_byte_avg": 42.0
    },
    "namespaces": [
      "string"
    ],
    "outputs": {
      "additionalProperty1": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      },
      "additionalProperty2": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      }
    },
    "packages": [
      "string"
    ],
    "policy_id": "string",
    "policy_revision": 42.0,
    "sort": [
      42.0
    ],
    "status": "offline",
    "tags": [
      "string"
    ],
    "type": "PERMANENT",
    "unenrolled_at": "string",
    "unenrollment_started_at": "string",
    "unhealthy_reason": [
      "input"
    ],
    "upgrade_details": {
      "action_id": "string",
      "metadata": {
        "download_percent": 42.0,
        "download_rate": 42.0,
        "error_msg": "string",
        "failed_state": "UPG_REQUESTED",
        "retry_error_msg": "string",
        "retry_until": "string",
        "scheduled_at": "string"
      },
      "state": "UPG_REQUESTED",
      "target_version": "string"
    },
    "upgrade_started_at": "string",
    "upgraded_at": "string",
    "user_provided_metadata": {}
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Get available agent versions

GET /api/fleet/agents/available_versions

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agents/available_versions
curl \
 --request GET https://localhost:5601/api/fleet/agents/available_versions
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an uploaded file

DELETE /api/fleet/agents/files/{fileId}

Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/agents/files/{fileId}
curl \
 --request DELETE https://localhost:5601/api/fleet/agents/files/{fileId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "deleted": true,
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

















Bulk get assets

POST /api/fleet/epm/bulk_assets

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • assetIds array[object] Required
    Hide assetIds attributes Show assetIds attributes object

Responses

POST /api/fleet/epm/bulk_assets
curl \
 --request POST https://localhost:5601/api/fleet/epm/bulk_assets \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"assetIds":[{"id":"string","type":"string"}]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "assetIds": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}
Response examples (200)
{
  "items": [
    {
      "appLink": "string",
      "attributes": {
        "description": "string",
        "service": "string",
        "title": "string"
      },
      "id": "string",
      "type": "string",
      "updatedAt": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get package categories

GET /api/fleet/epm/categories

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

GET /api/fleet/epm/categories
curl \
 --request GET https://localhost:5601/api/fleet/epm/categories
Response examples (200)
{
  "items": [
    {
      "count": 42.0,
      "id": "string",
      "parent_id": "string",
      "parent_title": "string",
      "title": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




























































Get enrollment API keys

GET /api/fleet/enrollment_api_keys

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].

Query parameters

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

    • list array[object] Required Deprecated
      Hide list attributes Show list attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys
curl \
 --request GET https://localhost:5601/api/fleet/enrollment_api_keys
Response examples (200)
{
  "items": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "list": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Get an enrollment API key

GET /api/fleet/enrollment_api_keys/{keyId}

Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys/{keyId}
curl \
 --request GET https://localhost:5601/api/fleet/enrollment_api_keys/{keyId}
Response examples (200)
{
  "item": {
    "active": true,
    "api_key": "string",
    "api_key_id": "string",
    "created_at": "string",
    "id": "string",
    "name": "string",
    "policy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





































































Update a package policy

PUT /api/fleet/package_policies/{packagePolicyId}

Update a package policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body object

Any of:
  • Package policy description

  • enabled boolean
  • force boolean
  • inputs array[object]
    Hide inputs attributes Show inputs attributes object
    • config object

      Package variable (see integration documentation for more information)

      Hide config attribute Show config attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
    • enabled boolean Required
    • id string
    • streams array[object]
      Hide streams attributes Show streams attributes object
      • config object

        Package variable (see integration documentation for more information)

        Hide config attribute Show config attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • data_stream object Required

        Additional properties are NOT allowed.

        Hide data_stream attributes Show data_stream attributes object
      • enabled boolean Required
      • id string
      • release string

        Values are ga, beta, or experimental.

      • vars object

        Package variable (see integration documentation for more information)

        Hide vars attribute Show vars attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
    • type string Required
    • vars object

      Package variable (see integration documentation for more information)

      Hide vars attribute Show vars attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
  • is_managed boolean
  • name string
  • The package policy namespace. Leave blank to inherit the agent policy's namespace.

  • output_id string | null
  • overrides object | null

    Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

    Additional properties are NOT allowed.

    Hide overrides attribute Show overrides attribute object | null
    • inputs object

      Additional properties are allowed.

  • package object

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
  • policy_id string | null Deprecated

    Agent policy ID where that package policy will be added

  • policy_ids array[string]

    Agent policy IDs where that package policy will be added

  • supports_agentless boolean | null

    Indicates whether the package policy belongs to an agentless agent policy.

    Default value is false.

  • vars object

    Package variable (see integration documentation for more information)

    Hide vars attribute Show vars attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
  • version string

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 403 application/json
    Hide response attributes Show response attributes object
PUT /api/fleet/package_policies/{packagePolicyId}
curl \
 --request PUT https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","enabled":true,"force":true,"inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"version":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "enabled": true,
  "force": true,
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  },
  "version": "string"
}
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Bulk delete package policies

POST /api/fleet/package_policies/delete

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/package_policies/delete
curl \
 --request POST https://localhost:5601/api/fleet/package_policies/delete \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"packagePolicyIds":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "packagePolicyIds": [
    "string"
  ]
}
Response examples (200)
[
  {
    "body": {
      "message": "string"
    },
    "id": "string",
    "name": "string",
    "output_id": "string",
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "statusCode": 42.0,
    "success": true
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Upgrade a package policy

POST /api/fleet/package_policies/upgrade

Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/package_policies/upgrade
curl \
 --request POST https://localhost:5601/api/fleet/package_policies/upgrade \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"packagePolicyIds":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "packagePolicyIds": [
    "string"
  ]
}
Response examples (200)
[
  {
    "body": {
      "message": "string"
    },
    "id": "string",
    "name": "string",
    "statusCode": 42.0,
    "success": true
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

















Update a proxy

PUT /api/fleet/proxies/{itemId}

Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/proxies/{itemId}
curl \
 --request PUT https://localhost:5601/api/fleet/proxies/{itemId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","name":"string","proxy_headers":{},"url":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "certificate": "string",
  "certificate_authorities": "string",
  "certificate_key": "string",
  "name": "string",
  "proxy_headers": {},
  "url": "string"
}
Response examples (200)
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a proxy

DELETE /api/fleet/proxies/{itemId}

Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/proxies/{itemId}
curl \
 --request DELETE https://localhost:5601/api/fleet/proxies/{itemId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get Fleet Server hosts

GET /api/fleet/fleet_server_hosts

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].

Responses

GET /api/fleet/fleet_server_hosts
curl \
 --request GET https://localhost:5601/api/fleet/fleet_server_hosts
Response examples (200)
{
  "items": [
    {
      "host_urls": [
        "string"
      ],
      "id": "string",
      "is_default": false,
      "is_internal": true,
      "is_preconfigured": false,
      "name": "string",
      "proxy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}






















Get metadata for latest uninstall tokens

GET /api/fleet/uninstall_tokens

List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Query parameters

  • policyId string

    Partial match filtering for policy IDs

    Maximum length is 50.

  • perPage number

    The number of items to return

    Minimum value is 5.

  • page number

    Minimum value is 1.

Responses

GET /api/fleet/uninstall_tokens
curl \
 --request GET https://localhost:5601/api/fleet/uninstall_tokens
Response examples (200)
{
  "items": [
    {
      "created_at": "string",
      "id": "string",
      "namespaces": [
        "string"
      ],
      "policy_id": "string",
      "policy_name": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}