Get environments for service

GET /api/apm/settings/agent-configuration/environments
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • environments array[object]

      Service environment list

      Hide environments attributes Show environments attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/environments 
curl \
 --request GET 'http://localhost:5622/api/apm/settings/agent-configuration/environments' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200) 
{
  "environments": [
    {
      "alreadyConfigured": true,
      "name": "ALL_OPTION_VALUE"
    }
  ]
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

APM agent keys

Configure APM agent keys to authorize requests from APM agents to the APM Server.

Search for annotations

GET /api/apm/services/{serviceName}/annotation/search
Api key auth Basic auth

Search for annotations related to a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Path parameters

Query parameters

  • environment string

    The environment to filter annotations by

  • start string

    The start date for the search

  • end string

    The end date for the search

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
GET /api/apm/services/{serviceName}/annotation/search 
curl \
 --request GET 'http://localhost:5622/api/apm/services/{serviceName}/annotation/search' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200) 
{
  "annotations": [
    {
      "@timestamp": 42.0,
      "id": "string",
      "text": "string",
      "type": "version"
    }
  ]
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

Get source maps

GET /api/apm/sourcemaps
Api key auth Basic auth

Get an array of Fleet artifacts, including source map uploads. You must have read or all Kibana privileges for the APM and User Experience feature.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

GET /api/apm/sourcemaps 
curl -X GET "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}'
Response examples (200)
A successful response from `GET /api/apm/sourcemaps`. 
{
  "artifacts": [
    {
      "type": "sourcemap",
      "identifier": "foo-1.0.0",
      "relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
      "body": {
        "serviceName": "foo",
        "serviceVersion": "1.0.0",
        "bundleFilepath": "/test/e2e/general-usecase/bundle.js",
        "sourceMap": {
          "version": 3,
          "file": "static/js/main.chunk.js",
          "sources": [
            "fleet-source-map-client/src/index.css",
            "fleet-source-map-client/src/App.js",
            "webpack:///./src/index.css?bb0a",
            "fleet-source-map-client/src/index.js",
            "fleet-source-map-client/src/reportWebVitals.js"
          ],
          "sourcesContent": [
            "content"
          ],
          "mappings": "mapping",
          "sourceRoot": ""
        }
      },
      "created": "2021-07-09T20:47:44.812Z",
      "id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
      "compressionAlgorithm": "zlib",
      "decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
      "decodedSize": 441,
      "encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
      "encodedSize": 237,
      "encryptionAlgorithm": "none",
      "packageName": "apm"
    }
  ]
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501) 
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Get a case comment or alert

GET /api/cases/{caseId}/comments/{commentId}
Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • commentId string Required

    The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

GET /api/cases/{caseId}/comments/{commentId} 
curl \
 --request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
  "type": "user",
  "owner": "cases",
  "comment": "A new comment",
  "version": "WzIzLDFd",
  "pushed_at": null,
  "pushed_by": null,
  "created_at": "2023-10-07T19:32:13.104Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case tags

GET /api/cases/tags
Api key auth Basic auth

Aggregates and returns a list of case tags. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json

    Indicates a successful call.

    Not more than 10000 elements.
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/tags 
curl \
 --request GET 'http://localhost:5622/api/cases/tags' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  "observability",
  "security",
  "tag 1",
  "tag 2"
]
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Update data view fields metadata

POST /api/data_views/data_view/{viewId}/fields
Api key auth Basic auth

Update fields presentation metadata such as count, customLabel, customDescription, and format.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • fields object Required

    The field object.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/fields 
curl \
 --request POST 'http://localhost:5622/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/fields' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"fields":{"field1":{"count":123,"customLabel":"Field 1 label"},"field2":{"customLabel":"Field 2 label","customDescription":"Field 2 description"}}}'
Request example 
{
  "fields": {
    "field1": {
      "count": 123,
      "customLabel": "Field 1 label"
    },
    "field2": {
      "customLabel": "Field 2 label",
      "customDescription": "Field 2 description"
    }
  }
}
Response examples (200) 
{
  "acknowledged": true
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Delete an agent policy

POST /api/fleet/agent_policies/delete
Api key auth Basic auth

Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/agent_policies/delete 
curl \
 --request POST 'http://localhost:5622/api/fleet/agent_policies/delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agentPolicyId":"string","force":true}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "agentPolicyId": "string",
  "force": true
}
Response examples (200) 
{
  "id": "string",
  "name": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get outputs for agent policies

POST /api/fleet/agent_policies/outputs
Api key auth Basic auth

Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • ids array[string] Required

    list of package policy ids

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • agentPolicyId string
      • data object Required

        Additional properties are NOT allowed.

        Hide data attributes Show data attributes object
      • monitoring object Required

        Additional properties are NOT allowed.

        Hide monitoring attribute Show monitoring attribute object
        • output object Required

          Additional properties are NOT allowed.

          Hide output attributes Show output attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_policies/outputs 
curl \
 --request POST 'http://localhost:5622/api/fleet/agent_policies/outputs' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"ids":["string"]}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "ids": [
    "string"
  ]
}
Response examples (200) 
{
  "items": [
    {
      "agentPolicyId": "string",
      "data": {
        "integrations": [
          {
            "id": "string",
            "integrationPolicyName": "string",
            "name": "string",
            "pkgName": "string"
          }
        ],
        "output": {
          "id": "string",
          "name": "string"
        }
      },
      "monitoring": {
        "output": {
          "id": "string",
          "name": "string"
        }
      }
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Elastic Agents

Get an agent

GET /api/fleet/agents/{agentId}
Api key auth Basic auth

Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

Responses

GET /api/fleet/agents/{agentId} 
curl \
 --request GET 'http://localhost:5622/api/fleet/agents/{agentId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "access_api_key": "string",
    "access_api_key_id": "string",
    "active": true,
    "agent": {
      "id": "string",
      "version": "string"
    },
    "audit_unenrolled_reason": "string",
    "components": [
      {
        "id": "string",
        "message": "string",
        "status": "STARTING",
        "type": "string",
        "units": [
          {
            "id": "string",
            "message": "string",
            "payload": {},
            "status": "STARTING",
            "type": "input"
          }
        ]
      }
    ],
    "default_api_key": "string",
    "default_api_key_history": [
      {
        "id": "string",
        "retired_at": "string"
      }
    ],
    "default_api_key_id": "string",
    "enrolled_at": "string",
    "id": "string",
    "last_checkin": "string",
    "last_checkin_message": "string",
    "last_checkin_status": "error",
    "local_metadata": {},
    "metrics": {
      "cpu_avg": 42.0,
      "memory_size_byte_avg": 42.0
    },
    "namespaces": [
      "string"
    ],
    "outputs": {
      "additionalProperty1": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      },
      "additionalProperty2": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      }
    },
    "packages": [
      "string"
    ],
    "policy_id": "string",
    "policy_revision": 42.0,
    "sort": [],
    "status": "offline",
    "tags": [
      "string"
    ],
    "type": "PERMANENT",
    "unenrolled_at": "string",
    "unenrollment_started_at": "string",
    "unhealthy_reason": [
      "input"
    ],
    "upgrade_attempts": [
      "string"
    ],
    "upgrade_details": {
      "action_id": "string",
      "metadata": {
        "download_percent": 42.0,
        "download_rate": 42.0,
        "error_msg": "string",
        "failed_state": "UPG_REQUESTED",
        "retry_error_msg": "string",
        "retry_until": "string",
        "scheduled_at": "string"
      },
      "state": "UPG_REQUESTED",
      "target_version": "string"
    },
    "upgrade_started_at": "string",
    "upgraded_at": "string",
    "user_provided_metadata": {}
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get package stats

GET /api/fleet/epm/packages/{pkgName}/stats
Api key auth Basic auth

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

GET /api/fleet/epm/packages/{pkgName}/stats 
curl \
 --request GET 'http://localhost:5622/api/fleet/epm/packages/{pkgName}/stats' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "response": {
    "agent_policy_count": 42.0
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get enrollment API keys

GET /api/fleet/enrollment_api_keys
Api key auth Basic auth

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].

Query parameters

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • policy_id string

        The ID of the agent policy the Elastic Agent will be enrolled in.

    • list array[object] Required Deprecated
      Hide list attributes Show list attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • policy_id string

        The ID of the agent policy the Elastic Agent will be enrolled in.

    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys 
curl \
 --request GET 'http://localhost:5622/api/fleet/enrollment_api_keys' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "list": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Fleet service tokens

Get anonymization fields

GET /api/security_ai_assistant/anonymization_fields/_find
Api key auth Basic auth

Get a list of all anonymization fields.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • sort_field string

    Field to sort by

    Values are created_at, anonymized, allowed, field, or updated_at.

  • sort_order string

    Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    AnonymizationFields per page

    Minimum value is 0. Default value is 20.

Responses

GET /api/security_ai_assistant/anonymization_fields/_find 
curl \
 --request GET 'http://localhost:5622/api/security_ai_assistant/anonymization_fields/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "allowed": true,
      "anonymized": true,
      "createdAt": "string",
      "createdBy": "string",
      "field": "string",
      "id": "string",
      "namespace": "string",
      "timestamp": "string",
      "updatedAt": "string",
      "updatedBy": "string"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a conversation

GET /api/security_ai_assistant/current_user/conversations/{id}
Api key auth Basic auth

Get the details of an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • apiConfig object

      LLM API configuration.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The time conversation was created.

    • excludeFromLastConversationStorage boolean

      excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • messages array[object]

      The conversation messages.

      AI assistant conversation message.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • traceData object

        trace Data

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • transactionId string

          Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • replacements object

      Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object
      Hide summary attributes Show summary attributes object
      • confidence string

        How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • updatedAt string

      The last time conversation was updated.

    • users array[object] Required

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/current_user/conversations/{id} 
curl \
 --request GET 'http://localhost:5622/api/security_ai_assistant/current_user/conversations/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "createdAt": "string",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "namespace": "string",
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "timestamp": "string",
  "title": "string",
  "updatedAt": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Apply a bulk action to prompts

POST /api/security_ai_assistant/prompts/_bulk_action
Api key auth Basic auth

Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs.

application/json

Body

Responses

POST /api/security_ai_assistant/prompts/_bulk_action 
curl \
 --request POST 'http://localhost:5622/api/security_ai_assistant/prompts/_bulk_action' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"create":[{"categories":["string"],"color":"string","consumer":"string","content":"string","isDefault":true,"isNewConversationDefault":true,"name":"string","promptType":"system"}],"delete":{"ids":["string"],"query":"string"},"update":[{"categories":["string"],"color":"string","consumer":"string","content":"string","id":"string","isDefault":true,"isNewConversationDefault":true}]}'
Request examples 
{
  "create": [
    {
      "categories": [
        "string"
      ],
      "color": "string",
      "consumer": "string",
      "content": "string",
      "isDefault": true,
      "isNewConversationDefault": true,
      "name": "string",
      "promptType": "system"
    }
  ],
  "delete": {
    "ids": [
      "string"
    ],
    "query": "string"
  },
  "update": [
    {
      "categories": [
        "string"
      ],
      "color": "string",
      "consumer": "string",
      "content": "string",
      "id": "string",
      "isDefault": true,
      "isNewConversationDefault": true
    }
  ]
}
Response examples (200) 
{
  "attributes": {
    "errors": [
      {
        "err_code": "string",
        "message": "string",
        "prompts": [
          {
            "id": "string",
            "name": "string"
          }
        ],
        "status_code": 42
      }
    ],
    "results": {
      "created": [
        {
          "categories": [
            "string"
          ],
          "color": "string",
          "consumer": "string",
          "content": "string",
          "createdAt": "string",
          "createdBy": "string",
          "id": "string",
          "isDefault": true,
          "isNewConversationDefault": true,
          "name": "string",
          "namespace": "string",
          "promptType": "system",
          "timestamp": "string",
          "updatedAt": "string",
          "updatedBy": "string",
          "users": [
            {
              "id": "string",
              "name": "string"
            }
          ]
        }
      ],
      "deleted": [
        "string"
      ],
      "skipped": [
        {
          "id": "string",
          "name": "string",
          "skip_reason": "PROMPT_FIELD_NOT_MODIFIED"
        }
      ],
      "updated": [
        {
          "categories": [
            "string"
          ],
          "color": "string",
          "consumer": "string",
          "content": "string",
          "createdAt": "string",
          "createdBy": "string",
          "id": "string",
          "isDefault": true,
          "isNewConversationDefault": true,
          "name": "string",
          "namespace": "string",
          "promptType": "system",
          "timestamp": "string",
          "updatedAt": "string",
          "updatedBy": "string",
          "users": [
            {
              "id": "string",
              "name": "string"
            }
          ]
        }
      ]
    },
    "summary": {
      "failed": 42,
      "skipped": 42,
      "succeeded": 42,
      "total": 42
    }
  },
  "message": "string",
  "prompts_count": 42,
  "status_code": 42,
  "success": true
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get prompts

GET /api/security_ai_assistant/prompts/_find
Api key auth Basic auth

Get a list of all prompts.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • sort_field string

    Field to sort by

    Values are created_at, is_default, name, or updated_at.

  • sort_order string

    Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Prompts per page

    Minimum value is 0. Default value is 20.

Responses

GET /api/security_ai_assistant/prompts/_find 
curl \
 --request GET 'http://localhost:5622/api/security_ai_assistant/prompts/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "categories": [
        "string"
      ],
      "color": "string",
      "consumer": "string",
      "content": "string",
      "createdAt": "string",
      "createdBy": "string",
      "id": "string",
      "isDefault": true,
      "isNewConversationDefault": true,
      "name": "string",
      "namespace": "string",
      "promptType": "system",
      "timestamp": "string",
      "updatedAt": "string",
      "updatedBy": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ]
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Reads the alert index name if it exists

GET /api/detection_engine/index
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough permissions response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
GET /api/detection_engine/index 
curl \
 --request GET 'http://localhost:5622/api/detection_engine/index' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "name": ".alerts-security.alerts-default",
  "index_mapping_outdated": false
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403) 
{
  "message": "string",
  "status_code": 42
}
Response examples (404) 
{
  "message": "string",
  "status_code": 42
}
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

Scan a file or directory

POST /api/endpoint/action/scan
Api key auth Basic auth

Scan a specific file or directory on an endpoint for malware.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/scan 
curl \
 --request POST 'http://localhost:5622/api/endpoint/action/scan' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Scan the file for malware","parameters":{"path":"/usr/my-file.txt"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "Scan the file for malware",
  "parameters": {
    "path": "/usr/my-file.txt"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "27ba1b42-7cc6-4e53-86ce-675c876092b2",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "scan",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2023-07-28T19:00:03.911Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "path": "/usr/my-file.txt"
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Get a policy response

GET /api/endpoint/policy_response
Api key auth Basic auth

Query parameters

  • query object Required
    Hide query attribute Show query attribute object

Responses

  • 200 application/json

    OK
GET /api/endpoint/policy_response 
curl \
 --request GET 'http://localhost:5622/api/endpoint/policy_response?query=%7B%7D' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{}

Apply DataView indices to all installed engines

POST /api/entity_store/engines/apply_dataview_indices
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 207 application/json

    Partial successful response

    Hide response attributes Show response attributes object
  • 500 application/json

    Error response

    Hide response attributes Show response attributes object
POST /api/entity_store/engines/apply_dataview_indices 
curl \
 --request POST 'http://localhost:5622/api/entity_store/engines/apply_dataview_indices' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "result": [
    {
      "changes": {
        "indexPatterns": [
          "string"
        ]
      },
      "type": "string"
    }
  ],
  "success": true
}
Response examples (207) 
{
  "errors": [
    "string"
  ],
  "result": [
    {
      "changes": {
        "indexPatterns": [
          "string"
        ]
      },
      "type": "string"
    }
  ],
  "success": true
}
Response examples (500) 
{
  "body": "string",
  "statusCode": 42.0
}

Run the risk scoring engine

POST /api/risk_score/engine/schedule_now
Api key auth Basic auth

Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.

application/json

Body

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Task manager is unavailable

    Hide response attributes Show response attributes object
  • default application/json

    Unexpected error

    Hide response attributes Show response attributes object
POST /api/risk_score/engine/schedule_now 
curl \
 --request POST 'http://localhost:5622/api/risk_score/engine/schedule_now' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"
Response examples (200) 
{
  "success": true
}
Response examples (400) 
{
  "message": "string",
  "status_code": 42
}
Response examples (default) 
{
  "full_error": "string",
  "message": "string"
}

Add or update a note

PATCH /api/note
Api key auth Basic auth

Add a note to a Timeline or update an existing note.

application/json

Body Required

The note to add or update, along with additional metadata.

  • note object Required
    Hide note attributes Show note attributes object
    • created number | null

      The time the note was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the note.

    • updated number | null

      The last time the note was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the note

    • eventId string | null

      The _id of the associated event for this note.

    • note string | null

      The text of the note

    • timelineId string Required

      The savedObjectId of the Timeline that this note is associated with

  • noteId string | null

    The savedObjectId of the note

  • version string | null

    The version of the note

Responses

  • 200 application/json

    Indicates the note was successfully created.

    Hide response attribute Show response attribute object
    • note object Required
      Hide note attributes Show note attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note
PATCH /api/note 
curl \
 --request PATCH 'http://localhost:5622/api/note' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"note":{"created":1587468588922,"createdBy":"casetester","updated":1741344876825,"updatedBy":"casetester","eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"This is an example text","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"},"noteId":"709f99c6-89b6-4953-9160-35945c8e174e","version":"WzQ2LDFd"}'
Request examples 
{
  "note": {
    "created": 1587468588922,
    "createdBy": "casetester",
    "updated": 1741344876825,
    "updatedBy": "casetester",
    "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
    "note": "This is an example text",
    "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e"
  },
  "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
  "version": "WzQ2LDFd"
}
Response examples (200) 
{
  "note": {
    "created": 1587468588922,
    "createdBy": "casetester",
    "updated": 1741344876825,
    "updatedBy": "casetester",
    "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
    "note": "This is an example text",
    "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
    "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
    "version": "WzQ2LDFd"
  }
}

Delete Timelines or Timeline templates

DELETE /api/timeline
Api key auth Basic auth

Delete one or more Timelines or Timeline templates.

application/json

Body Required

The IDs of the Timelines or Timeline templates to delete.

  • savedObjectIds array[string] Required

    The list of IDs of the Timelines or Timeline templates to delete

  • searchIds array[string]

    Saved search IDs that should be deleted alongside the timelines

Responses

  • 200

    Indicates the Timeline was successfully deleted.

DELETE /api/timeline 
curl \
 --request DELETE 'http://localhost:5622/api/timeline' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"savedObjectIds":["15c1929b-0af7-42bd-85a8-56e234cc7c4e"],"searchIds":["23f3-43g34g322-e5g5hrh6h-45454","6ce1b592-84e3-4b4a-9552-f189d4b82075"]}'
Request examples 
{
  "savedObjectIds": [
    "15c1929b-0af7-42bd-85a8-56e234cc7c4e"
  ],
  "searchIds": [
    "23f3-43g34g322-e5g5hrh6h-45454",
    "6ce1b592-84e3-4b4a-9552-f189d4b82075"
  ]
}

Create a short URL Technical Preview

POST /api/short_url
Api key auth Basic auth

Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page.

application/json

Body Required

  • humanReadableSlug boolean

    When the slug parameter is omitted, the API will generate a random human-readable slug if humanReadableSlug is set to true.

  • locatorId string Required

    The identifier for the locator.

  • params object Required

    An object which contains all necessary parameters for the given locator to resolve to a Kibana location.

    When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.

  • slug string

    A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and -._ characters. The slug must be at least 3 characters long, but no longer than 255 characters.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • accessCount integer
    • accessDate string
    • createDate string
    • id string

      The identifier for the short URL.

    • locator object
      Hide locator attributes Show locator attributes object
      • id string

        The identifier for the locator.

      • state object

        The locator parameters.

      • version string

        The version of Kibana when the short URL was created.

    • slug string

      A random human-readable slug is automatically generated if the humanReadableSlug parameter is set to true. If it is set to false, a random short string is generated.
POST /api/short_url 
curl \
 --request POST 'http://localhost:5622/api/short_url' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"humanReadableSlug":true,"locatorId":"string","params":{},"slug":"string"}'
Request examples 
{
  "humanReadableSlug": true,
  "locatorId": "string",
  "params": {},
  "slug": "string"
}
Response examples (200) 
{
  "accessCount": 42,
  "accessDate": "string",
  "createDate": "string",
  "id": "string",
  "locator": {
    "id": "string",
    "state": {},
    "version": "string"
  },
  "slug": "string"
}

Resolve a short URL Technical Preview

GET /api/short_url/_slug/{slug}
Api key auth Basic auth

Resolve a Kibana short URL by its slug.

Path parameters

  • slug string Required

    The slug of the short URL.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • accessCount integer
    • accessDate string
    • createDate string
    • id string

      The identifier for the short URL.

    • locator object
      Hide locator attributes Show locator attributes object
      • id string

        The identifier for the locator.

      • state object

        The locator parameters.

      • version string

        The version of Kibana when the short URL was created.

    • slug string

      A random human-readable slug is automatically generated if the humanReadableSlug parameter is set to true. If it is set to false, a random short string is generated.
GET /api/short_url/_slug/{slug} 
curl \
 --request GET 'http://localhost:5622/api/short_url/_slug/{slug}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "accessCount": 42,
  "accessDate": "string",
  "createDate": "string",
  "id": "string",
  "locator": {
    "id": "string",
    "state": {},
    "version": "string"
  },
  "slug": "string"
}

Delete an SLO

DELETE /s/{spaceId}/api/observability/slos/{sloId}
Api key auth Basic auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • spaceId string Required

    An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.

  • sloId string Required

    An identifier for the slo.

Responses

  • 204

    Successful request

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
DELETE /s/{spaceId}/api/observability/slos/{sloId} 
curl \
 --request DELETE 'http://localhost:5622/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}

Get shareable references

POST /api/spaces/_get_shareable_references
Api key auth Basic auth

Collect references and space contexts for saved objects.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • objects array[object] Required
    Hide objects attributes Show objects attributes object
POST /api/spaces/_get_shareable_references 
curl \
 --request POST 'http://localhost:5622/api/spaces/_get_shareable_references' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"objects":[{"id":"string","type":"string"}]}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "objects": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}

Get ingest stream settings Technical Preview

GET /api/streams/{name}/_ingest
Api key auth Basic auth

Fetches the ingest settings of an ingest stream definition

application/json

Body

object object

Additional properties are NOT allowed.
GET /api/streams/{name}/_ingest 
curl \
 --request GET 'http://localhost:5622/api/streams/{name}/_ingest' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"
Request examples 
{}