The identifier for the rule.
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{id}/_disable' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"untrack":true}'# Headers
kbn-xsrf: true
# Payload
{
"untrack": true
}The identifier for the rule.
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{id}/_update_api_key' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"The version of the API to use
Value is 2023-10-31. Default value is 2023-10-31.
A required header to protect against CSRF attacks
If the config exists ?overwrite=true is required
Agent name
Service
Agent configuration settings
curl \
--request PUT 'https://localhost:5601/api/apm/settings/agent-configuration' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"agent_name": "string",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}{}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}The version of the API to use
Value is 2023-10-31. Default value is 2023-10-31.
Service name
Service environment
curl \
--request GET 'https://localhost:5601/api/apm/settings/agent-configuration/view' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"{
"id": "string",
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414' \
--header "Authorization: $API_KEY"{
"id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzM2LDFd",
"category": null,
"comments": [
{
"id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-13T15:40:32.335Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T15:40:32.335Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}{
"id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
"tags": [
"observability",
"tag 1"
],
"owner": "observability",
"title": "Observability case title 1",
"status": "in-progress",
"version": "WzI0NywyXQ==",
"category": null,
"comments": [
{
"id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
"rule": {
"id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
"name": "Observability rule"
},
"type": "alert",
"index": [
".internal.alerts-observability.logs.alerts-default-000001"
],
"owner": "observability",
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"version": "WzY3LDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
},
{
"id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
"type": "user",
"owner": "observability",
"comment": "The first comment.",
"version": "WzcyLDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:57.812Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-11-06T19:29:04.086Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": "2023-11-06T19:47:55.662Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "An Observability case description.",
"totalAlerts": 1,
"customFields": [],
"totalComment": 1,
"external_service": null
}{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
The add comment to case API request body varies depending on whether you are adding an alert or a comment.
Defines properties for case comment requests when type is alert.
The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases, observability, or securitySolution.
The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The type of comment.
Value is alert.
curl \
--request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"type":"user","owner":"cases","comment":"A new comment."}'{
"type": "user",
"owner": "cases",
"comment": "A new comment."
}{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
curl \
--request GET 'https://localhost:5601/api/cases/reporters' \
--header "Authorization: $API_KEY"[
{
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
{
"email": "jdoe@example.com",
"username": "jdoe",
"full_name": "Jane Doe",
"profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
]{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}WARNING: When you delete a data view, it cannot be recovered.
An identifier for the data view.
curl \
--request DELETE 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request POST 'https://localhost:5601/api/fleet/agents/{agentId}/actions' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"action":{"type":"UNENROLL"}}'# Headers
kbn-xsrf: true
# Payload
{
"action": {
"type": "UNENROLL"
}
}{
"item": {
"agents": [
"string"
],
"created_at": "string",
"expiration": "string",
"id": "string",
"minimum_execution_duration": 42.0,
"namespaces": [
"string"
],
"rollout_duration_seconds": 42.0,
"sent_at": "string",
"source_uri": "string",
"start_time": "string",
"total": 42.0,
"type": "string"
}
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].
Values are desc or asc.
use withAgentCount instead
get policies with agent count
get full policies with package policies populated
Values are simplified or legacy.
curl \
--request GET 'https://localhost:5601/api/fleet/agent_policies' \
--header "Authorization: $API_KEY"{
"items": [
{
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Get an agent by ID.
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
Default value is false.
curl \
--request GET 'https://localhost:5601/api/fleet/agents/{agentId}' \
--header "Authorization: $API_KEY"{
"item": {
"access_api_key": "string",
"access_api_key_id": "string",
"active": true,
"agent": {
"id": "string",
"version": "string"
},
"audit_unenrolled_reason": "string",
"components": [
{
"id": "string",
"message": "string",
"status": "STARTING",
"type": "string",
"units": [
{
"id": "string",
"message": "string",
"payload": {},
"status": "STARTING",
"type": "input"
}
]
}
],
"default_api_key": "string",
"default_api_key_history": [
{
"id": "string",
"retired_at": "string"
}
],
"default_api_key_id": "string",
"enrolled_at": "string",
"id": "string",
"last_checkin": "string",
"last_checkin_message": "string",
"last_checkin_status": "error",
"local_metadata": {},
"metrics": {
"cpu_avg": 42.0,
"memory_size_byte_avg": 42.0
},
"namespaces": [
"string"
],
"outputs": {
"additionalProperty1": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
},
"additionalProperty2": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
}
},
"packages": [
"string"
],
"policy_id": "string",
"policy_revision": 42.0,
"sort": [],
"status": "offline",
"tags": [
"string"
],
"type": "PERMANENT",
"unenrolled_at": "string",
"unenrollment_started_at": "string",
"unhealthy_reason": [
"input"
],
"upgrade_attempts": [
"string"
],
"upgrade_details": {
"action_id": "string",
"metadata": {
"download_percent": 42.0,
"download_rate": 42.0,
"error_msg": "string",
"failed_state": "UPG_REQUESTED",
"retry_error_msg": "string",
"retry_until": "string",
"scheduled_at": "string"
},
"state": "UPG_REQUESTED",
"target_version": "string"
},
"upgrade_started_at": "string",
"upgraded_at": "string",
"user_provided_metadata": {}
}
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Delete an agent by ID.
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request DELETE 'https://localhost:5601/api/fleet/agents/{agentId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"{
"action": "deleted"
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
curl \
--request GET 'https://localhost:5601/api/fleet/epm/categories' \
--header "Authorization: $API_KEY"{
"items": [
{
"count": 42.0,
"id": "string",
"parent_id": "string",
"parent_title": "string",
"title": "string"
}
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
Values are json, yml, or yaml. Default value is json.
curl \
--request GET 'https://localhost:5601/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs' \
--header "Authorization: $API_KEY"string{
"inputs": [
{
"id": "string",
"streams": [
{
"data_stream": {
"dataset": "string",
"type": "string"
},
"id": "string"
}
],
"type": "string"
}
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}curl \
--request POST 'https://localhost:5601/api/security/roles' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"roles":{"additionalProperty1":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}},"additionalProperty2":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}}}}'# Headers
kbn-xsrf: true
# Payload
{
"roles": {
"additionalProperty1": {
"description": "string",
"elasticsearch": {
"cluster": [
"string"
],
"indices": [
{
"allow_restricted_indices": true,
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"remote_cluster": [
{
"clusters": [
"string"
],
"privileges": [
"string"
]
}
],
"remote_indices": [
{
"allow_restricted_indices": true,
"clusters": [
"string"
],
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"run_as": [
"string"
]
},
"kibana": [
{
"base": [],
"feature": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"spaces": [
"*"
]
}
],
"metadata": {}
},
"additionalProperty2": {
"description": "string",
"elasticsearch": {
"cluster": [
"string"
],
"indices": [
{
"allow_restricted_indices": true,
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"remote_cluster": [
{
"clusters": [
"string"
],
"privileges": [
"string"
]
}
],
"remote_indices": [
{
"allow_restricted_indices": true,
"clusters": [
"string"
],
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"run_as": [
"string"
]
},
"kibana": [
{
"base": [],
"feature": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"spaces": [
"*"
]
}
],
"metadata": {}
}
}
}Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.
curl \
--request POST 'https://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"create":[{"allowed":true,"anonymized":true,"field":"string"}],"delete":{"ids":["string"],"query":"string"},"update":[{"allowed":true,"anonymized":true,"id":"string"}]}'{
"create": [
{
"allowed": true,
"anonymized": true,
"field": "string"
}
],
"delete": {
"ids": [
"string"
],
"query": "string"
},
"update": [
{
"allowed": true,
"anonymized": true,
"id": "string"
}
]
}{
"anonymization_fields_count": 42,
"attributes": {
"errors": [
{
"anonymization_fields": [
{
"id": "string",
"name": "string"
}
],
"err_code": "string",
"message": "string",
"status_code": 42
}
],
"results": {
"created": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
],
"deleted": [
"string"
],
"skipped": [
{
"id": "string",
"name": "string",
"skip_reason": "ANONYMIZATION_FIELD_NOT_MODIFIED"
}
],
"updated": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
]
},
"summary": {
"failed": 42,
"skipped": 42,
"succeeded": 42,
"total": 42
}
},
"message": "string",
"status_code": 42,
"success": true
}{
"error": "string",
"message": "string",
"statusCode": 42.0
}Get a list of all anonymization fields.
Search query
Field to sort by
Values are created_at, anonymized, allowed, field, or updated_at.
Sort order
Values are asc or desc.
Page number
Minimum value is 1. Default value is 1.
AnonymizationFields per page
Minimum value is 0. Default value is 20.
curl \
--request GET 'https://localhost:5601/api/security_ai_assistant/anonymization_fields/_find' \
--header "Authorization: $API_KEY"{
"data": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
],
"page": 42,
"perPage": 42,
"total": 42
}{
"error": "string",
"message": "string",
"statusCode": 42.0
}Retrieve a detection rule using the rule_id or id field.
Indicates a successful call.
curl \
--request GET 'https://localhost:5601/api/detection_engine/rules' \
--header "Authorization: $API_KEY"{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"type": "query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery",
"query": "string"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"saved_id": "string",
"type": "saved_query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"query": "string",
"language": "kuery"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"query": "string",
"threshold": {
"cardinality": [
{
"field": "string",
"value": 42
}
],
"field": "string",
"value": 42
},
"type": "threshold",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
}
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"query": "string",
"threat_index": [
"string"
],
"threat_mapping": [
{
"entries": [
{
"field": "string",
"type": "mapping",
"value": "string"
}
]
}
],
"threat_query": "string",
"type": "threat_match",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"concurrent_searches": 42,
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"items_per_search": 42,
"saved_id": "string",
"threat_filters": [],
"threat_indicator_path": "string",
"threat_language": "kuery",
"language": "kuery"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"anomaly_threshold": 42,
"machine_learning_job_id": "string",
"type": "machine_learning",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
}
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"history_window_start": "string",
"new_terms_fields": [
"string"
],
"query": "string",
"type": "new_terms",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"language": "kuery"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"language": "esql",
"query": "string",
"type": "esql"
}Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices.
Maximum age of qualifying detection alerts
curl \
--request GET 'https://localhost:5601/api/detection_engine/signals/migration_status?from=now-30d' \
--header "Authorization: $API_KEY"{
"indices": [
{
"index": ".siem-signals-default-000002",
"version": 15,
"migrations": [
{
"id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
"status": "pending",
"updated": "2021-01-06T20:41:37.173Z",
"version": 16
}
],
"is_outdated": true,
"signal_versions": [
{
"count": 100,
"version": 15
},
{
"count": 87,
"version": 16
}
]
},
{
"index": ".siem-signals-default-000003",
"version": 16,
"migrations": [],
"is_outdated": false,
"signal_versions": [
{
"count": 54,
"version": 16
}
]
}
]
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}Find and/or aggregate detection alerts that match the given query.
Search and/or aggregation query
Additional properties are allowed.
Additional properties are allowed.
Additional properties are allowed.
Minimum value is 0.
curl \
--request POST 'https://localhost:5601/api/detection_engine/signals/search' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"aggs":{"missingFields":{"missing":{"field":"host.name"}},"alertsByGrouping":{"terms":{"size":10,"field":"host.name"}}},"size":0,"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"should":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{}}'{
"aggs": {
"missingFields": {
"missing": {
"field": "host.name"
}
},
"alertsByGrouping": {
"terms": {
"size": 10,
"field": "host.name"
}
}
},
"size": 0,
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [],
"filter": [
{
"match_phrase": {
"kibana.alert.workflow_status": "open"
}
}
],
"should": [],
"must_not": [
{
"exists": {
"field": "kibana.alert.building_block_type"
}
}
]
}
},
{
"range": {
"@timestamp": {
"gte": "2025-01-17T08:00:00.000Z",
"lte": "2025-01-18T07:59:59.999Z"
}
}
}
]
}
},
"runtime_mappings": {}
}{
"hits": {
"hits": [],
"total": {
"value": 5,
"relation": "eq"
},
"max_score": null
},
"took": 0,
"_shards": {
"total": 1,
"failed": 0,
"skipped": 0,
"successful": 1
},
"timed_out": false,
"aggregations": {
"missingFields": {
"doc_count": 0
},
"alertsByGrouping": {
"buckets": [
{
"key": "Host-f43kkddfyc",
"doc_count": 5
}
],
"sum_other_doc_count": 0,
"doc_count_error_upper_bound": 0
}
}
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}Create an endpoint exception list item, and associate it with the endpoint exception list.
Exception list item's properties
Array of comment fields:
Describes the exception list.
Human readable string identifier, e.g. trusted-linux-processes
Minimum length is 1.
Additional properties are allowed.
Exception list name.
Minimum length is 1.
Use this field to specify the operating system.
Values are linux, macos, or windows.
Value is simple.
curl \
--request POST 'https://localhost:5601/api/endpoint_list/items' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"comments":[{"comment":"string","created_at":"2025-05-04T09:42:00Z","created_by":"string","id":"string","updated_at":"2025-05-04T09:42:00Z","updated_by":"string"}],"description":"string","entries":[{"field":"string","operator":"excluded","type":"match","value":"string"}],"item_id":"simple_list_item","meta":{},"name":"string","os_types":["linux"],"tags":["string"],"type":"simple"}'{
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string"
}
],
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"item_id": "simple_list_item",
"meta": {},
"name": "string",
"os_types": [
"linux"
],
"tags": [
"string"
],
"type": "simple"
}{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string"
}
],
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"expire_time": "2025-05-04T09:42:00Z",
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"list_id": "simple_list",
"meta": {},
"name": "string",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "simple",
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string"
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}{
"message": "string",
"status_code": 42
}The entity type of the engine (either 'user' or 'host').
Values are user, host, or service.
curl \
--request POST 'https://localhost:5601/api/entity_store/engines/{entityType}/stop' \
--header "Authorization: $API_KEY"{
"stopped": true
}Create .lists and .items data streams in the relevant space.
Successful response
Invalid input data response
Unsuccessful authentication response
Not enough privileges response
List data stream exists response
Internal server error response
curl \
--request POST 'https://localhost:5601/api/lists/index' \
--header "Authorization: $API_KEY"{
"acknowledged": true
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]\n",
"statusCode": 401
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "data stream: \\\".lists-default\\\" and \\\".items-default\\\" already exists",
"status_code": 409
}{
"message": "Internal Server Error",
"status_code": 500
}You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.
You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.
The budgeting method to use when computing the rollup data.
Values are occurrences or timeslices.
A description for the SLO.
optional group by field or fields to use to generate an SLO per distinct value
A name for the SLO.
Defines properties for the SLO objective
Defines properties for SLO settings.
Defines properties for the SLO time window
curl \
--request PUT 'https://localhost:5601/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"budgetingMethod":"occurrences","description":"string","groupBy":[["service.name"],"service.name",["service.name","service.environment"]],"indicator":{"params":{"dataViewId":"03b80ab3-003d-498b-881c-3beedbaf1162","filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.latency \u003c= 150 and request.status_code : \"2xx\"","index":"my-service-*","timestampField":"timestamp","total":"field.environment : \"production\" and service.name : \"my-service\""},"type":"sli.kql.custom"},"name":"string","objective":{"target":0.99,"timesliceTarget":0.995,"timesliceWindow":"5m"},"settings":{"frequency":"5m","preventInitialBackfill":true,"syncDelay":"5m","syncField":"event.ingested"},"tags":["string"],"timeWindow":{"duration":"30d","type":"rolling"}}'# Headers
kbn-xsrf: string
# Payload
{
"budgetingMethod": "occurrences",
"description": "string",
"groupBy": [
[
"service.name"
],
"service.name",
[
"service.name",
"service.environment"
]
],
"indicator": {
"params": {
"dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
"filter": "field.environment : \"production\" and service.name : \"my-service\"",
"good": "request.latency <= 150 and request.status_code : \"2xx\"",
"index": "my-service-*",
"timestampField": "timestamp",
"total": "field.environment : \"production\" and service.name : \"my-service\""
},
"type": "sli.kql.custom"
},
"name": "string",
"objective": {
"target": 0.99,
"timesliceTarget": 0.995,
"timesliceWindow": "5m"
},
"settings": {
"frequency": "5m",
"preventInitialBackfill": true,
"syncDelay": "5m",
"syncField": "event.ingested"
},
"tags": [
"string"
],
"timeWindow": {
"duration": "30d",
"type": "rolling"
}
}{
"budgetingMethod": "occurrences",
"createdAt": "2023-01-12T10:03:19.000Z",
"description": "My SLO description",
"enabled": true,
"groupBy": [
[
"service.name"
],
"service.name",
[
"service.name",
"service.environment"
]
],
"id": "8853df00-ae2e-11ed-90af-09bb6422b258",
"indicator": {
"params": {
"dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
"filter": "field.environment : \"production\" and service.name : \"my-service\"",
"good": "request.latency <= 150 and request.status_code : \"2xx\"",
"index": "my-service-*",
"timestampField": "timestamp",
"total": "field.environment : \"production\" and service.name : \"my-service\""
},
"type": "sli.kql.custom"
},
"name": "My Service SLO",
"objective": {
"target": 0.99,
"timesliceTarget": 0.995,
"timesliceWindow": "5m"
},
"revision": 2,
"settings": {
"frequency": "5m",
"preventInitialBackfill": true,
"syncDelay": "5m",
"syncField": "event.ingested"
},
"tags": [
"string"
],
"timeWindow": {
"duration": "30d",
"type": "rolling"
},
"updatedAt": "2023-01-12T10:03:19.000Z",
"version": 2
}{
"error": "Bad Request",
"message": "Invalid value 'foo' supplied to: [...]",
"statusCode": 400
}{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
"statusCode": 401
}{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
"statusCode": 403
}{
"error": "Not Found",
"message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
"statusCode": 404
}The space identifier.
curl \
--request GET 'https://localhost:5601/api/spaces/space/{id}' \
--header "Authorization: $API_KEY"{
"id": "marketing",
"name": "Marketing",
"color": null,
"imageUrl": "",
"initials": "MK",
"solution": "es",
"description": "This is the Marketing Space",
"disabledFeatures": []
}