Create an APM agent key

POST /api/apm/agent_keys
Api key auth Basic auth

Create a new agent key for APM. The user creating an APM agent API key must have at least the manage_own_api_key cluster privilege and the APM application-level privileges that it wishes to grant. After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • name string Required

    The name of the APM agent key.

  • privileges array[string] Required

    The APM agent key privileges. It can take one or more of the following values:

    • event:write, which is required for ingesting APM agent events. * config_agent:read, which is required for APM agents to read agent configuration remotely.

    Values are event:write or config_agent:read.

Responses

  • 200 application/json

    Agent key created successfully

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
POST /api/apm/agent_keys 
curl \
 --request POST 'https://localhost:5601/api/apm/agent_keys' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '"{\n    \"name\": \"apm-key\",\n    \"privileges\": [\"event:write\", \"config_agent:read\"]\n}\n"'
Request example
Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. 
{
    "name": "apm-key",
    "privileges": ["event:write", "config_agent:read"]
}
Response examples (200)
An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. 
{
  "agentKey": {
    "id": "3DCLmn0B3ZMhLUa7WBG9",
    "name": "apm-key",
    "api_key": "PjGloCGOTzaZr8ilUPvkjA",
    "encoded": "M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ=="
  }
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

Get case settings

GET /api/cases/configure
Api key auth Basic auth

Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • closure_type string

      Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • connector object
      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • created_by object
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object

      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        One of:
        string-1 string boolean-2 boolean
      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • caseFields object
        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • connector object
          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

            One of:
            string-1 string boolean-2 boolean
        • description string

          The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • description string

        A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null
      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/configure 
curl \
 --request GET 'https://localhost:5601/api/cases/configure' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "id": "856ee650-6c82-11ee-a20a-6164169afa58",
    "error": null,
    "owner": "cases",
    "version": "WzEyLDNd",
    "mappings": [],
    "connector": {
      "id": "none",
      "name": "none",
      "type": ".none",
      "fields": null
    },
    "templates": [
      {
        "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
        "name": "template-1",
        "tags": [
          "Template tag 1"
        ],
        "caseFields": {
          "tags": [
            "Default case tag"
          ],
          "title": "Default case title",
          "category": "Default-category",
          "settings": {
            "syncAlerts": false
          },
          "assignees": [
            {
              "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
            }
          ],
          "connector": {
            "id": "none",
            "name": "none",
            "type": ".none",
            "fields": null
          },
          "description": "A default description for cases.",
          "customFields": [
            {
              "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
              "type": "text",
              "value": "Default text field value."
            }
          ]
        },
        "description": "A description of the template."
      }
    ],
    "created_at": "2024-07-01T17:07:17.767Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "updated_at": null,
    "updated_by": null,
    "closure_type": "close-by-user",
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "label": "my-text-field",
        "required": false,
        "defaultValue": "Custom text field value."
      }
    ]
  }
]
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get CCR Remote synced integrations status by outputId

GET /api/fleet/remote_synced_integrations/{outputId}/remote_status
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.

Responses

GET /api/fleet/remote_synced_integrations/{outputId}/remote_status 
curl \
 --request GET 'https://localhost:5601/api/fleet/remote_synced_integrations/{outputId}/remote_status' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "custom_assets": {
    "additionalProperty1": {
      "name": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "type": "string"
    },
    "additionalProperty2": {
      "name": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "type": "string"
    }
  },
  "error": "string",
  "integrations": [
    {
      "error": "string",
      "id": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "updated_at": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get incoming agent data

GET /api/fleet/agent_status/data
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • dataPreview array Required
    • items array[object] Required
      Hide items attribute Show items attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attribute Show * attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agent_status/data 
curl \
 --request GET 'https://localhost:5601/api/fleet/agent_status/data?agentsIds=string' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "dataPreview": [],
  "items": [
    {
      "additionalProperty1": {
        "data": true
      },
      "additionalProperty2": {
        "data": true
      }
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get packages

GET /api/fleet/epm/packages
Api key auth Basic auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Responses

GET /api/fleet/epm/packages 
curl \
 --request GET 'https://localhost:5601/api/fleet/epm/packages' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "categories": [
        "string"
      ],
      "conditions": {
        "elastic": {
          "capabilities": [
            "string"
          ],
          "subscription": "string"
        },
        "kibana": {
          "version": "string"
        }
      },
      "data_streams": [
        {}
      ],
      "description": "string",
      "discovery": {
        "fields": [
          {
            "name": "string"
          }
        ]
      },
      "download": "string",
      "format_version": "string",
      "icons": [
        {
          "dark_mode": true,
          "path": "string",
          "size": "string",
          "src": "string",
          "title": "string",
          "type": "string"
        }
      ],
      "id": "string",
      "installationInfo": {
        "additional_spaces_installed_kibana": {
          "additionalProperty1": [
            {
              "id": "string",
              "originId": "string",
              "type": "dashboard"
            }
          ],
          "additionalProperty2": [
            {
              "id": "string",
              "originId": "string",
              "type": "dashboard"
            }
          ]
        },
        "created_at": "string",
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "install_format_schema_version": "string",
        "install_source": "registry",
        "install_status": "installed",
        "installed_es": [
          {
            "deferred": true,
            "id": "string",
            "type": "index",
            "version": "string"
          }
        ],
        "installed_kibana": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "installed_kibana_space_id": "string",
        "latest_executed_state": {
          "error": "string",
          "name": "string",
          "started_at": "string"
        },
        "latest_install_failed_attempts": [
          {
            "created_at": "string",
            "error": {
              "message": "string",
              "name": "string",
              "stack": "string"
            },
            "target_version": "string"
          }
        ],
        "name": "string",
        "namespaces": [
          "string"
        ],
        "type": "string",
        "updated_at": "string",
        "verification_key_id": "string",
        "verification_status": "unverified",
        "version": "string"
      },
      "integration": "string",
      "internal": true,
      "latestVersion": "string",
      "name": "string",
      "owner": {
        "github": "string",
        "type": "elastic"
      },
      "path": "string",
      "policy_templates": [
        {}
      ],
      "readme": "string",
      "release": "ga",
      "signature_path": "string",
      "source": {
        "license": "string"
      },
      "status": "string",
      "title": "string",
      "type": "integration",
      "vars": [
        {}
      ],
      "version": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Update settings

PUT /api/fleet/settings
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/settings 
curl \
 --request PUT 'https://localhost:5601/api/fleet/settings' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"additional_yaml_config":"string","delete_unenrolled_agents":{"enabled":true,"is_preconfigured":true},"has_seen_add_data_notice":true,"kibana_ca_sha256":"string","kibana_urls":["https://example.com"],"prerelease_integrations_enabled":true}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "additional_yaml_config": "string",
  "delete_unenrolled_agents": {
    "enabled": true,
    "is_preconfigured": true
  },
  "has_seen_add_data_notice": true,
  "kibana_ca_sha256": "string",
  "kibana_urls": [
    "https://example.com"
  ],
  "prerelease_integrations_enabled": true
}
Response examples (200) 
{
  "item": {
    "delete_unenrolled_agents": {
      "enabled": true,
      "is_preconfigured": true
    },
    "has_seen_add_data_notice": true,
    "id": "string",
    "output_secret_storage_requirements_met": true,
    "preconfigured_fields": [
      "fleet_server_hosts"
    ],
    "prerelease_integrations_enabled": true,
    "secret_storage_requirements_met": true,
    "use_space_awareness_migration_started_at": "string",
    "use_space_awareness_migration_status": "pending",
    "version": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404) 
{
  "message": "string"
}

Get output

GET /api/fleet/outputs/{outputId}
Api key auth Basic auth

Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.

Responses

GET /api/fleet/outputs/{outputId} 
curl \
 --request GET 'https://localhost:5601/api/fleet/outputs/{outputId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "key": {
          "id": "string"
        }
      }
    },
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Update a package policy

PUT /api/fleet/package_policies/{packagePolicyId}
Api key auth Basic auth

Update a package policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body object

Any of:
object-1 object object-2 object
  • additional_datastreams_permissions array[string] | null

    Additional datastream permissions, that will be added to the agent policy.

  • description string

    Package policy description

  • enabled boolean
  • force boolean
  • inputs array[object]
    Hide inputs attributes Show inputs attributes object
    • config object

      Package variable (see integration documentation for more information)

      Hide config attribute Show config attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
    • enabled boolean Required
    • id string
    • keep_enabled boolean
    • policy_template string
    • streams array[object]
      Hide streams attributes Show streams attributes object
      • config object

        Package variable (see integration documentation for more information)

        Hide config attribute Show config attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • data_stream object Required

        Additional properties are NOT allowed.

        Hide data_stream attributes Show data_stream attributes object
      • enabled boolean Required
      • id string
      • keep_enabled boolean
      • release string

        Values are ga, beta, or experimental.

      • vars object

        Package variable (see integration documentation for more information)

        Hide vars attribute Show vars attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
    • type string Required
    • vars object

      Package variable (see integration documentation for more information)

      Hide vars attribute Show vars attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
  • is_managed boolean
  • name string
  • namespace string

    The package policy namespace. Leave blank to inherit the agent policy's namespace.

  • output_id string | null
  • overrides object | null

    Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

    Additional properties are NOT allowed.

    Hide overrides attribute Show overrides attribute object | null
    • inputs object

      Additional properties are allowed.

  • package object

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
  • policy_id string | null Deprecated

    Agent policy ID where that package policy will be added

  • policy_ids array[string]

    Agent policy IDs where that package policy will be added

  • supports_agentless boolean | null

    Indicates whether the package policy belongs to an agentless agent policy.

    Default value is false.

  • vars object

    Package variable (see integration documentation for more information)

    Hide vars attribute Show vars attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
  • version string

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • additional_datastreams_permissions array[string] | null

        Additional datastream permissions, that will be added to the agent policy.

      • agents number
      • created_at string Required
      • created_by string Required
      • description string

        Package policy description

      • elasticsearch object

        Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • privileges object

          Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required

      • inputs array[object] | object Required

        Any of:
        array-1 array[object] object-2 object
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • keep_enabled boolean
        • policy_template string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • keep_enabled boolean
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • namespace string

        The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required

      • vars object

        Any of:
        object-1 object object-2 object

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 403 application/json
    Hide response attributes Show response attributes object
PUT /api/fleet/package_policies/{packagePolicyId} 
curl \
 --request PUT 'https://localhost:5601/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"additional_datastreams_permissions":["string"],"description":"string","enabled":true,"force":true,"inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"version":"string"}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "additional_datastreams_permissions": [
    "string"
  ],
  "description": "string",
  "enabled": true,
  "force": true,
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  },
  "version": "string"
}
# Headers
kbn-xsrf: true

# Payload
{
  "additional_datastreams_permissions": [
    "string"
  ],
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}
Response examples (200) 
{
  "item": {
    "additional_datastreams_permissions": [
      "string"
    ],
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (403) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Create or update a Logstash pipeline Technical Preview

PUT /api/logstash/pipeline/{id}
Api key auth Basic auth

Create a centrally-managed Logstash pipeline or update a pipeline. To use this API, you must have either the logstash_admin built-in role or a customized Logstash writer role.

Secure your connection

Path parameters

  • id string Required

    An identifier for the pipeline. Only alphanumeric characters, hyphens, and underscores are supported.

application/json

Body

  • description string

    A description of the pipeline.

  • pipeline string Required

    A definition for the pipeline.

  • settings object

    Supported settings, represented as object keys, include the following:

    • pipeline.workers
    • pipeline.batch.size
    • pipeline.batch.delay
    • pipeline.ecs_compatibility
    • pipeline.ordered
    • queue.type
    • queue.max_bytes
    • queue.checkpoint.writes

Responses

  • 204

    Indicates a successful call

PUT /api/logstash/pipeline/{id} 
curl \
 --request PUT 'https://localhost:5601/api/logstash/pipeline/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"pipeline\": \"input { stdin {} } output { stdout {} }\",\n  \"settings\": {\n    \"queue.type\": \"persisted\"\n  }\n}"'
Request example 
{
  "pipeline": "input { stdin {} } output { stdout {} }",
  "settings": {
    "queue.type": "persisted"
  }
}

Create a conversation

POST /api/security_ai_assistant/current_user/conversations
Api key auth Basic auth

Create a new Security AI Assistant conversation.

application/json

Body Required

  • apiConfig object

    LLM API configuration.

    Hide apiConfig attributes Show apiConfig attributes object
  • category string

    The conversation category.

    Values are assistant or insights.

  • excludeFromLastConversationStorage boolean

    excludeFromLastConversationStorage.

  • id string

    The conversation id.

  • messages array[object]

    The conversation messages.

    AI assistant conversation message.

    Hide messages attributes Show messages attributes object
    • content string Required

      Message content.

    • isError boolean

      Is error message.

    • metadata object

      metadata

      Hide metadata attribute Show metadata attribute object
    • reader object

      Message content.

      Additional properties are allowed.

    • role string Required

      Message role.

      Values are system, user, or assistant.

    • timestamp string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • traceData object

      trace Data

      Hide traceData attributes Show traceData attributes object
      • traceId string

        Could be any string, not necessarily a UUID

      • transactionId string

        Could be any string, not necessarily a UUID

  • replacements object

    Replacements object used to anonymize/deanomymize messsages

    Hide replacements attribute Show replacements attribute object
    • * string Additional properties
  • title string Required

    The conversation title.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • apiConfig object

      LLM API configuration.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The time conversation was created.

    • excludeFromLastConversationStorage boolean

      excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • messages array[object]

      The conversation messages.

      AI assistant conversation message.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • traceData object

        trace Data

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • transactionId string

          Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • replacements object

      Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object
      Hide summary attributes Show summary attributes object
      • confidence string

        How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • updatedAt string

      The last time conversation was updated.

    • users array[object] Required

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
POST /api/security_ai_assistant/current_user/conversations 
curl \
 --request POST 'https://localhost:5601/api/security_ai_assistant/current_user/conversations' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"title":"string"}'
Request examples 
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "title": "string"
}
Response examples (200) 
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "createdAt": "string",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "namespace": "string",
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "timestamp": "string",
  "title": "string",
  "updatedAt": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Retrieve the status of prebuilt detection rules and Timelines

GET /api/detection_engine/rules/prepackaged/_status
Api key auth Basic auth

Retrieve the status of all Elastic prebuilt detection rules and Timelines.

This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
    • rules_custom_installed integer Required

      The total number of custom rules

      Minimum value is 0.

    • rules_installed integer Required

      The total number of installed prebuilt rules

      Minimum value is 0.

    • rules_not_installed integer Required

      The total number of available prebuilt rules that are not installed

      Minimum value is 0.

    • rules_not_updated integer Required

      The total number of outdated prebuilt rules

      Minimum value is 0.

    • timelines_installed integer Required

      The total number of installed prebuilt timelines

      Minimum value is 0.

    • timelines_not_installed integer Required

      The total number of available prebuilt timelines that are not installed

      Minimum value is 0.

    • timelines_not_updated integer Required

      The total number of outdated prebuilt timelines

      Minimum value is 0.
GET /api/detection_engine/rules/prepackaged/_status 
curl \
 --request GET 'https://localhost:5601/api/detection_engine/rules/prepackaged/_status' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "rules_installed": 0,
  "rules_not_updated": 0,
  "rules_not_installed": 112,
  "timelines_installed": 0,
  "timelines_not_updated": 0,
  "rules_custom_installed": 0,
  "timelines_not_installed": 0
}

Upload a file

POST /api/endpoint/action/upload
Api key auth Basic auth

Upload a file to an endpoint.

multipart/form-data

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attribute Show parameters attribute object
    • overwrite boolean

      Overwrite the file on the host if it already exists.

      Default value is false.

  • file string(binary) Required

    The binary content of the file.

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/upload 
curl \
 --request POST 'https://localhost:5601/api/endpoint/action/upload' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --form "file=RWxhc3RpYw==" \
 --form 'parameters={}' \
 --form "endpoint_ids[]=ed518850-681a-4d60-bb98-e22640cae2a8"
Request example 
{"file"=>"RWxhc3RpYw==", "parameters"=>{}, "endpoint_ids"=>["ed518850-681a-4d60-bb98-e22640cae2a8"]}
Response examples (200) 
{
  "data": {
    "id": "9ff6aebc-2cb6-481e-8869-9b30036c9731",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "Host-5i6cuc8kdv"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "upload",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "elastic",
    "isExpired": false,
    "startedAt": "2023-07-03T15:07:22.837Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "file_id": "10e4ce3d-4abb-4f93-a0cd-eaf63a489280",
      "file_name": "fix-malware.sh",
      "file_size": 69,
      "file_sha256": "a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a"
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Health check on Privilege Monitoring

GET /api/entity_analytics/monitoring/privileges/health
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
GET /api/entity_analytics/monitoring/privileges/health 
curl \
 --request GET 'https://localhost:5601/api/entity_analytics/monitoring/privileges/health' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "ok": true
}

List the Entity Engines

GET /api/entity_store/engines
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • count integer
    • engines array[object]
      Hide engines attributes Show engines attributes object
GET /api/entity_store/engines 
curl \
 --request GET 'https://localhost:5601/api/entity_store/engines' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "count": 42,
  "engines": [
    {
      "delay": "1m",
      "docsPerSecond": 42,
      "error": {
        "action": "init",
        "message": "string"
      },
      "fieldHistoryLength": 42,
      "filter": "string",
      "frequency": "1m",
      "indexPattern": "string",
      "lookbackPeriod": "24h",
      "status": "installing",
      "timeout": "180s",
      "timestampField": "string",
      "type": "user"
    }
  ]
}

Update an exception list item

PUT /api/exception_lists/items
Api key auth Basic auth

Update an exception list item using the id or item_id field.

application/json

Body Required

Exception list item's properties

  • _version string

    The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

  • comments array[object]

    Default value is [] (empty).

    Hide comments attributes Show comments attributes object
    • comment string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • id string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • description string Required

    Describes the exception list.

  • entries array[object] Required
    Any of:
    Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
    Hide attributes Show attributes
    • field string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • operator string Required

      Values are excluded or included.

    • type string Required Discriminator

      Value is match.

    • value string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • expire_time string(date-time)

    The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

  • id string(nonempty)

    Exception's identifier.

    Minimum length is 1.

  • item_id string(nonempty)

    Human readable string identifier, e.g. trusted-linux-processes

    Minimum length is 1.

  • list_id string(nonempty)

    Exception list's human readable string identifier, e.g. trusted-linux-processes.

    Minimum length is 1.

  • meta object

    Additional properties are allowed.

  • name string(nonempty) Required

    Exception list name.

    Minimum length is 1.

  • namespace_type string

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

  • os_types array[string]

    Use this field to specify the operating system.

    Values are linux, macos, or windows. Default value is [] (empty).

  • tags array[string(nonempty)]

    String array containing words and phrases to help categorize exception items.

    Minimum length of each is 1. Default value is [] (empty).

  • type string Required

    Value is simple.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows. Default value is [] (empty).

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1. Default value is [] (empty).

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    Exception list item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
PUT /api/exception_lists/items 
curl \
 --request PUT 'https://localhost:5601/api/exception_lists/items' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"Updated name","tags":[],"type":"simple","entries":[{"type":"match","field":"host.name","value":"rock01","operator":"included"}],"item_id":"simple_list_item","comments":[],"description":"Updated description","namespace_type":"single"}'
Request example 
{
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "comments": [],
  "description": "Updated description",
  "namespace_type": "single"
}
Response examples (200) 
{
  "id": "459c5e7e-f8b2-4f0b-b136-c1fc702f72da",
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzEyLDFd",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-07T21:12:25.512Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T21:34:50.233Z",
  "updated_by": "elastic",
  "description": "Updated description",
  "namespace_type": "single",
  "tie_breaker_id": "ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request body]: item_id: Expected string, received number",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "exception list item item_id: \\\"foo\\\" does not exist",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Security lists

Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

  • List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
    • boolean
    • byte
    • date
    • date_nanos
    • date_range
    • double
    • double_range
    • float
    • float_range
    • half_float
    • integer
    • integer_range
    • ip
    • ip_range
    • keyword
    • long
    • long_range
    • short
    • text
  • List items: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named internal-ip-addresses-southport contains five items, where each item defines one internal IP address:

  1. 192.168.1.1
  2. 192.168.1.3
  3. 192.168.1.18
  4. 192.168.1.12
  5. 192.168.1.7

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception list item that references the internal-ip-addresses-southport list.

Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (is in list, is not in list). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's exceptions_list object.

Lists requirements

Before you can start using lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.

Get live query results

GET /api/osquery/live_queries/{id}/results/{actionId}
Api key auth Basic auth

Get the results of a live query using the query action ID.

Path parameters

  • id string Required

    The ID of the live query result you want to retrieve.

  • actionId string Required

    The ID of the query action that generated the live query results.

Query parameters

  • kuery string | null

    The kuery to filter the results by.

  • page integer | null

    The page number to return. The default is 1.

  • pageSize integer | null

    The number of results to return per page. The default is 20.

  • sort string | null

    The field that is used to sort the results.

    Default value is createdAt.

  • sortOrder string

    Specifies the sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    OK

    The response for getting live query results.
GET /api/osquery/live_queries/{id}/results/{actionId} 
curl \
 --request GET 'https://localhost:5601/api/osquery/live_queries/3c42c847-eb30-4452-80e0-728584042334/results/609c4c66-ba3d-43fa-afdd-53e244577aa0' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": {
    "edges": [
      {},
      {}
    ],
    "total": 2
  }
}

Spaces

Manage your Kibana spaces.

Space overview

Get group stream settings Technical Preview

GET /api/streams/{name}/_group
Api key auth Basic auth

Fetches the group settings of a group stream definition

application/json

Body

object object

Additional properties are NOT allowed.
GET /api/streams/{name}/_group 
curl \
 --request GET 'https://localhost:5601/api/streams/{name}/_group' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"
Request examples 
{}