Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
The API accepts 2 different authentication methods:
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Basic auth tokens are constructed with the Basic
keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a :
colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
Spaces enable you to organize your dashboards and other saved objects into meaningful categories. You can use the default space or create your own spaces.
To run APIs in non-default spaces, you must add s/{space_id}/
to the path.
For example:
curl -X GET "http://localhost:5601/s/marketing/api/data_views"
If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier.
To learn more, check out Spaces.
Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.
You must have read
privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.
curl \
--request GET https://localhost:5601/api/alerting/_health
{
"is_sufficiently_secure": true,
"alerting_framework_health": {
"read_health": {
"status": "ok",
"timestamp": "2023-01-13T01:28:00.280Z"
},
"execution_health": {
"status": "ok",
"timestamp": "2023-01-13T01:28:00.280Z"
},
"decryption_health": {
"status": "ok",
"timestamp": "2023-01-13T01:28:00.280Z"
}
},
"has_permanent_encryption_key": true
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
If you have read
privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user
built-in role.
curl \
--request GET https://localhost:5601/api/alerting/rule_types
[
{
"id": "xpack.ml.anomaly_detection_alert",
"name": "Anomaly detection alert",
"alerts": {
"context": "ml.anomaly-detection",
"mappings": {
"fieldMap": {
"kibana.alert.job_id": {
"type": "keyword",
"array": false,
"required": true
},
"kibana.alert.is_interim": {
"type": "boolean",
"array": false,
"required": false
},
"kibana.alert.top_records": {
"type": "object",
"array": true,
"dynamic": false,
"required": false,
"properties": {
"actual": {
"type": "double"
},
"job_id": {
"type": "keyword"
},
"typical": {
"type": "double"
},
"function": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"field_name": {
"type": "keyword"
},
"is_interim": {
"type": "boolean"
},
"record_score": {
"type": "double"
},
"by_field_name": {
"type": "keyword"
},
"by_field_value": {
"type": "keyword"
},
"detector_index": {
"type": "integer"
},
"over_field_name": {
"type": "keyword"
},
"over_field_value": {
"type": "keyword"
},
"initial_record_score": {
"type": "double"
},
"partition_field_name": {
"type": "keyword"
},
"partition_field_value": {
"type": "keyword"
}
}
},
"kibana.alert.anomaly_score": {
"type": "double",
"array": false,
"required": false
},
"kibana.alert.top_influencers": {
"type": "object",
"array": true,
"dynamic": false,
"required": false,
"properties": {
"job_id": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"is_interim": {
"type": "boolean"
},
"influencer_score": {
"type": "double"
},
"influencer_field_name": {
"type": "keyword"
},
"influencer_field_value": {
"type": "keyword"
},
"initial_influencer_score": {
"type": "double"
}
}
},
"kibana.alert.anomaly_timestamp": {
"type": "date",
"array": false,
"required": false
}
}
},
"shouldWrite": true
},
"category": "management",
"producer": "ml",
"action_groups": [
{
"id": "anomaly_score_match",
"name": "Anomaly score matched the condition"
},
{
"id": "recovered",
"name": "Recovered"
}
],
"is_exportable": true,
"action_variables": {
"state": [],
"params": [],
"context": [
{
"name": "timestamp",
"description": "The bucket timestamp of the anomaly"
},
{
"name": "timestampIso8601",
"description": "The bucket time of the anomaly in ISO8601 format"
},
{
"name": "jobIds",
"description": "List of job IDs that triggered the alert"
},
{
"name": "message",
"description": "Alert info message"
},
{
"name": "isInterim",
"description": "Indicate if top hits contain interim results"
},
{
"name": "score",
"description": "Anomaly score at the time of the notification action"
},
{
"name": "topRecords",
"description": "Top records"
},
{
"name": "topInfluencers",
"description": "Top influencers"
},
{
"name": "anomalyExplorerUrl",
"description": "URL to open in the Anomaly Explorer",
"useWithTripleBracesInTemplates": true
}
]
},
"rule_task_timeout": "5m",
"enabled_in_license": true,
"has_alerts_mappings": true,
"authorized_consumers": {
"ml": {
"all": true,
"read": true
},
"apm": {
"all": true,
"read": true
},
"slo": {
"all": true,
"read": true
},
"logs": {
"all": true,
"read": true
},
"siem": {
"all": true,
"read": true
},
"alerts": {
"all": true,
"read": true
},
"uptime": {
"all": true,
"read": true
},
"discover": {
"all": true,
"read": true
},
"monitoring": {
"all": true,
"read": true
},
"stackAlerts": {
"all": true,
"read": true
},
"infrastructure": {
"all": true,
"read": true
}
},
"has_fields_for_a_a_d": false,
"recovery_action_group": {
"id": "recovered",
"name": "Recovered"
},
"default_action_group_id": "anomaly_score_match",
"minimum_license_required": "platinum",
"does_set_recovery_context": true
},
{
"id": "xpack.ml.anomaly_detection_jobs_health",
"name": "Anomaly detection jobs health",
"category": "management",
"producer": "ml",
"action_groups": [
{
"id": "anomaly_detection_realtime_issue",
"name": "Issue detected"
},
{
"id": "recovered",
"name": "Recovered"
}
],
"is_exportable": true,
"action_variables": {
"state": [],
"params": [],
"context": [
{
"name": "results",
"description": "Results of the rule execution"
},
{
"name": "message",
"description": "Alert info message"
}
]
},
"rule_task_timeout": "5m",
"enabled_in_license": true,
"has_alerts_mappings": false,
"authorized_consumers": {
"ml": {
"all": true,
"read": true
},
"apm": {
"all": true,
"read": true
},
"slo": {
"all": true,
"read": true
},
"logs": {
"all": true,
"read": true
},
"siem": {
"all": true,
"read": true
},
"alerts": {
"all": true,
"read": true
},
"uptime": {
"all": true,
"read": true
},
"discover": {
"all": true,
"read": true
},
"monitoring": {
"all": true,
"read": true
},
"stackAlerts": {
"all": true,
"read": true
},
"infrastructure": {
"all": true,
"read": true
}
},
"has_fields_for_a_a_d": false,
"recovery_action_group": {
"id": "recovered",
"name": "Recovered"
},
"default_action_group_id": "anomaly_detection_realtime_issue",
"minimum_license_required": "platinum",
"does_set_recovery_context": true
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
The identifier for the rule.
curl \
--request GET https://localhost:5601/api/alerting/rule/{id}
{
"actions": [
{
"alerts_filter": {
"query": {
"dsl": "string",
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {},
"query": {}
}
],
"kql": "string"
},
"timeframe": {
"days": [
1
],
"hours": {
"end": "string",
"start": "string"
},
"timezone": "string"
}
},
"connector_type_id": "string",
"frequency": {
"notify_when": "onActionGroupChange",
"summary": true,
"throttle": "string"
},
"group": "string",
"id": "string",
"params": {},
"use_alert_data_for_template": true,
"uuid": "string"
}
],
"active_snoozes": [
"string"
],
"alert_delay": {
"active": 42.0
},
"api_key_created_by_user": true,
"api_key_owner": "string",
"consumer": "string",
"created_at": "string",
"created_by": "string",
"enabled": true,
"execution_status": {
"error": {
"message": "string",
"reason": "read"
},
"last_duration": 42.0,
"last_execution_date": "string",
"status": "ok",
"warning": {
"message": "string",
"reason": "maxExecutableActions"
}
},
"flapping": {
"look_back_window": 42.0,
"status_change_threshold": 42.0
},
"id": "string",
"is_snoozed_until": "string",
"last_run": {
"alerts_count": {
"active": 42.0,
"ignored": 42.0,
"new": 42.0,
"recovered": 42.0
},
"outcome": "succeeded",
"outcome_msg": [
"string"
],
"outcome_order": 42.0,
"warning": "read"
},
"mapped_params": {},
"monitoring": {
"run": {
"calculated_metrics": {
"p50": 42.0,
"p95": 42.0,
"p99": 42.0,
"success_ratio": 42.0
},
"history": [
{
"duration": 42.0,
"outcome": "succeeded",
"success": true,
"timestamp": 42.0
}
],
"last_run": {
"metrics": {
"duration": 42.0,
"gap_duration_s": 42.0,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_alerts_created": 42.0,
"total_alerts_detected": 42.0,
"total_indexing_duration_ms": 42.0,
"total_search_duration_ms": 42.0
},
"timestamp": "string"
}
}
},
"mute_all": true,
"muted_alert_ids": [
"string"
],
"name": "string",
"next_run": "string",
"notify_when": "onActionGroupChange",
"params": {},
"revision": 42.0,
"rule_type_id": "string",
"running": true,
"schedule": {
"interval": "string"
},
"scheduled_task_id": "string",
"snooze_schedule": [
{
"duration": 42.0,
"id": "string",
"rRule": {
"byhour": [
42.0
],
"byminute": [
42.0
],
"bymonth": [
42.0
],
"bymonthday": [
42.0
],
"bysecond": [
42.0
],
"bysetpos": [
42.0
],
"byweekday": [
"string"
],
"byweekno": [
42.0
],
"byyearday": [
42.0
],
"count": 42.0,
"dtstart": "string",
"freq": 0,
"interval": 42.0,
"tzid": "string",
"until": "string",
"wkst": "MO"
},
"skipRecurrences": [
"string"
]
}
],
"tags": [
"string"
],
"throttle": "string",
"updated_at": "string",
"updated_by": "string",
"view_in_app_relative_url": "string"
}
The identifier for the rule.
Default value is []
(empty).
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Additional properties are NOT allowed.
When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
Additional properties are NOT allowed.
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
Indicates how often alerts generate actions. Valid values include: onActionGroupChange
: Actions run when the alert status changes; onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
Values are onActionGroupChange
, onActiveAlert
, or onThrottleInterval
.
The parameters for the rule.
Default value is {}
(empty). Additional properties are allowed.
Additional properties are NOT allowed.
Use the throttle
property in the action frequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
curl \
--request PUT https://localhost:5601/api/alerting/rule/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"new name","tags":[],"params":{"index":[".updated-index"],"aggType":"avg","groupBy":"top","aggField":"sheet.version","termSize":6,"termField":"name.keyword","threshold":[1000],"timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m","thresholdComparator":"\u003e"},"actions":[{"id":"96b668d0-a1b6-11ed-afdf-d39a49596974","group":"threshold met","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"frequency":{"summary":false,"notify_when":"onActionGroupChange"}}],"schedule":{"interval":"1m"}}'
{
"name": "new name",
"tags": [],
"params": {
"index": [
".updated-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"schedule": {
"interval": "1m"
}
}
{
"id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
"name": "new name",
"tags": [],
"params": {
"index": [
".updated-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2024-03-26T23:23:51.316Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2024-03-26T23:13:20.985Z",
"created_by": "elastic",
"updated_at": "2024-03-26T23:22:59.949Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 52,
"last_execution_date": "2024-03-26T23:22:51.390Z"
},
"scheduled_task_id": "4c5eda00-e74f-11ec-b72f-5b18752ff9ea",
"api_key_created_by_user": false
}
The identifier for the rule. If it is omitted, an ID is randomly generated.
Default value is []
(empty).
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Additional properties are NOT allowed.
The name of the application or feature that owns the rule. For example: alerts
, apm
, discover
, infrastructure
, logs
, metrics
, ml
, monitoring
, securitySolution
, siem
, stackAlerts
, or uptime
.
Indicates whether you want to run the rule on an interval basis after it is created.
Default value is true
.
When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
Additional properties are NOT allowed.
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
Indicates how often alerts generate actions. Valid values include: onActionGroupChange
: Actions run when the alert status changes; onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
Values are onActionGroupChange
, onActiveAlert
, or onThrottleInterval
.
The rule type identifier.
The check interval, which specifies how frequently the rule conditions are checked.
Additional properties are NOT allowed.
Use the throttle
property in the action frequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
The parameters for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'
{
"name": "my Elasticsearch query ESQL rule",
"params": {
"size": 0,
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"notify_when": "onActiveAlert"
}
}
],
"consumer": "stackAlerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
{
"name": "my Elasticsearch query rule",
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"threshold": [
100
],
"timeField": "@timestamp",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
}
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
{
"name": "my Elasticsearch query KQL rule",
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"rule_type_id": ".es-query"
}
{
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"alert_delay": {
"active": 3
},
"rule_type_id": ".index-threshold"
}
{
"name": "my tracking rule",
"params": {
"index": "kibana_sample_data_logs",
"entity": "agent.keyword",
"indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
"geoField": "geo.coordinates",
"dateField\"": "@timestamp",
"boundaryType": "entireIndex",
"boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
"boundaryGeoField": "location",
"boundaryNameField": "name",
"boundaryIndexTitle": "boundary*"
},
"consumer": "alerts",
"schedule": {
"interval": "1h"
},
"rule_type_id": ".geo-containment"
}
{
"id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"name": "my Elasticsearch query ESQL rule",
"tags": [],
"params": {
"size": 0,
"aggType": "count",
"groupBy": "all",
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun\"": "true,"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActiveAlert"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "stackAlerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-11-01T19:00:10.453Z",
"created_by": "elastic",
"updated_at": "2023-11-01T19:00:10.453Z",
"updated_by": "elastic\",",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-11-01T19:00:10.453Z"
},
"scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"api_key_created_by_user": false
}
{
"id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"name": "my Elasticsearch query rule",
"tags": [],
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"aggType": "count",
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"groupBy": "all",
"threshold": [
100
],
"timeField": "@timestamp",
"searchType": "esQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
},
"connector_type_id": ".server-log"
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-08-22T00:03:38.263Z",
"created_by": "elastic",
"updated_at": "2023-08-22T00:03:38.263Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-08-22T00:03:38.263Z"
},
"scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"api_key_created_by_user": false
}
{
"id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"name": "my Elasticsearch query KQL rule\"",
"tags": [],
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-07-14T20:24:50.729Z",
"created_by": "elastic",
"updated_at": "2023-07-14T20:24:50.729Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-07-14T20:24:50.729Z"
},
"scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"api_key_created_by_user": false
}
{
"id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-06-08T17:20:31.632Z",
"created_by": "elastic",
"updated_at": "2022-06-08T17:20:31.632Z",
"updated_by": "elastic",
"alert_delay": {
"active": 3
},
"notify_when": null,
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2022-06-08T17:20:31.632Z"
},
"scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
"api_key_created_by_user": false
}
{
"id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
"name": "my tracking rule",
"tags": [],
"params": {
"index": "kibana_sample_data_logs",
"entity": "agent.keyword",
"indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
"geoField": "geo.coordinates",
"dateField": "@timestamp",
"boundaryType": "entireIndex",
"boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
"boundaryGeoField": "location",
"boundaryNameField": "name",
"boundaryIndexTitle": "boundary*"
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2024-02-15T03:26:38.033Z",
"revision": 1,
"schedule": {
"interval": "1h"
},
"throttle": null,
"created_at": "2024-02-14T19:52:55.920Z",
"created_by": "elastic",
"updated_at": "2024-02-15T03:24:32.574Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".geo-containment",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 74,
"last_execution_date": "2024-02-15T03:25:38.125Z"
},
"scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
"api_key_created_by_user": false
}
The identifier for the rule.
curl \
--request DELETE https://localhost:5601/api/alerting/rule/{id} \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_enable \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_mute_all \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_update_api_key \
--header "kbn-xsrf: true"
The identifier for the rule.
The identifier for the alert.
curl \
--request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute \
--header "kbn-xsrf: true"
The identifier for the rule.
The identifier for the alert.
curl \
--request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute \
--header "kbn-xsrf: true"
The number of rules to return per page.
Minimum value is 0
. Default value is 10
.
The page number to return.
Minimum value is 1
. Default value is 1
.
An Elasticsearch simple_query_string query that filters the objects in the response.
The default operator to use for the simple_query_string.
Values are OR
or AND
. Default value is OR
.
The fields to perform the simple_query_string parsed query against.
Determines which field is used to sort the results. The field must exist in the attributes
key of the response.
Determines the sort order.
Values are asc
or desc
.
Filters the rules that have a relation with the reference objects with a specific type and identifier.
Additional properties are NOT allowed.
The fields to return in the attributes
key of the response.
A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle"
. However, if you used a direct attribute of a saved object, such as updatedAt
, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22
.
List of consumers to filter.
curl \
--request GET https://localhost:5601/api/alerting/rules/_find
{
"data": [
{
"id": "3583a470-74f6-11ed-9801-35303b735aef",
"name": "my alert",
"tags": [
"cpu"
],
"params": {
"index": [
"test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "9dca3e00-74f5-11ed-9801-35303b735aef",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
"connector_type_id": ".server-log"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
}
}
],
"enabled": true,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2022-12-06T01:45:23.912Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-12-05T23:40:33.132Z",
"created_by": "elastic",
"updated_at": "2022-12-05T23:40:33.132Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 48,
"last_execution_date": "2022-12-06T01:44:23.983Z"
},
"scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}
{
"data": [
{
"id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"name": "security_rule",
"tags": [],
"params": {
"to": "now",
"from": "now-3660s",
"meta": {
"from": "1h",
"kibana_siem_app_url": "https://localhost:5601/app/security"
},
"type": "threshold",
"index": [
"kibana_sample_data_logs"
],
"query": "*",
"author": [],
"ruleId": "an_internal_rule_id",
"threat": [],
"filters": [],
"license": "",
"version": 1,
"language": "kuery",
"severity": "low",
"immutable": false,
"riskScore": 21,
"threshold": {
"field": [
"bytes"
],
"value": 1,
"cardinality": []
},
"maxSignals": 100,
"references": [],
"description": "A security threshold rule.",
"outputIndex": "",
"exceptionsList": [],
"falsePositives": [],
"severityMapping": [],
"riskScoreMapping": []
},
"actions": [
{
"id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "default",
"params": {
"documents": [
{
"rule_id": {
"[object Object]": null
},
"alert_id": {
"[object Object]": null
},
"rule_name": {
"[object Object]": null
},
"context_message": {
"[object Object]": null
}
}
]
},
"frequency": {
"summary": true,
"throttle": null,
"notify_when": "onActiveAlert"
},
"alerts_filter": {
"query": {
"kql": "",
"filters": [
{
"meta": {
"key": "client.geo.region_iso_code",
"alias": null,
"field": "client.geo.region_iso_code",
"index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
"negate": false,
"params": {
"type": "phrase",
"query": "CA-QC"
},
"disabled": false
},
"query": {
"match_phrase": {
"client.geo.region_iso_code": "CA-QC"
}
},
"$state": {
"store": "appState"
}
}
]
},
"timeframe": {
"days": [
7
],
"hours": {
"end": "17:00",
"start": "08:00"
},
"timezone": "UTC"
}
},
"connector_type_id": ".index"
}
],
"enabled": true,
"running": false,
"consumer": "siem",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": [
"Rule execution completed successfully"
],
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2023-05-16T20:27:49.507Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-05-16T15:50:28.358Z",
"created_by": "elastic",
"updated_at": "2023-05-16T20:25:42.559Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": "siem.thresholdRule",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 166,
"last_execution_date": "2023-05-16T20:26:49.590Z"
},
"scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}
Adjust APM agent configuration without need to redeploy your application.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
curl \
--request GET https://localhost:5601/api/apm/settings/agent-configuration \
--header "elastic-api-version: 2023-10-31"
{
"configurations": [
{
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
If etags match then applied_by_agent
field will be set to true
markAsAppliedByAgent=true
means "force setting it to true regardless of etag".
This is needed for Jaeger agent that doesn't have etags
Service
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/apm/settings/agent-configuration/search \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"mark_as_applied_by_agent": true,
"service": {
"environment": "prod",
"name": "node"
}
}
{
"_id": "string",
"_index": "string",
"_score": 42.0,
"_source": {
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Configure APM agent keys to authorize requests from APM agents to the APM Server.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
Agent name
Privileges configuration
Values are event:write
or config_agent:read
.
curl \
--request POST https://localhost:5601/api/apm/agent_keys \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"name":"string","privileges":["event:write"]}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"name": "string",
"privileges": [
"event:write"
]
}
{
"agentKey": {
"api_key": "string",
"encoded": "string",
"expiration": 42,
"id": "string",
"name": "string"
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.
Create a new annotation for a specific service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
The name of the service
curl \
--request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"@timestamp": "string",
"message": "string",
"service": {
"environment": "string",
"version": "string"
},
"tags": [
"string"
]
}
{
"_id": "string",
"_index": "string",
"_source": {
"@timestamp": "string",
"annotation": {
"title": "string",
"type": "string"
},
"event": {
"created": "string"
},
"message": "string",
"service": {
"environment": "string",
"name": "string",
"version": "string"
},
"tags": [
"string"
]
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Search for annotations related to a specific service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
The name of the service
The environment to filter annotations by
The start date for the search
The end date for the search
curl \
--request GET https://localhost:5601/api/apm/services/{serviceName}/annotation/search \
--header "elastic-api-version: 2023-10-31"
{
"annotations": [
{
"@timestamp": 42.0,
"id": "string",
"text": "string",
"type": "version"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Create APM fleet server schema.
Configure APM source maps.
Returns an array of Fleet artifacts, including source map uploads.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
curl \
--request GET https://localhost:5601/api/apm/sourcemaps \
--header "elastic-api-version: 2023-10-31"
{
"artifacts": [
{
"body": {
"bundleFilepath": "string",
"serviceName": "string",
"serviceVersion": "string",
"sourceMap": {
"file": "string",
"mappings": "string",
"sourceRoot": "string",
"sources": [
"string"
],
"sourcesContent": [
"string"
],
"version": 42.0
}
},
"compressionAlgorithm": "string",
"created": "string",
"decodedSha256": "string",
"decodedSize": 42.0,
"encodedSha256": "string",
"encodedSize": 42.0,
"encryptionAlgorithm": "string",
"id": "string",
"identifier": "string",
"packageName": "string",
"relative_url": "string",
"type": "string"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
Source map identifier
Successful response
Additional properties are NOT allowed.
Bad Request response
Unauthorized response
Forbidden response
Internal Server Error response
Not Implemented response
curl \
--request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true"
{}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}
Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors.
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
An array containing users that are assigned to the case.
Not more than 10
elements.
A word or phrase that categorizes the case.
Maximum length is 50
.
Defines properties for connectors when type is .none
.
Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
At least 0
but not more than 10
elements.
The description for the case.
Maximum length is 30000
.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
An object that contains the case settings.
Additional properties are allowed.
The severity of the case.
Values are critical
, high
, low
, or medium
. Default value is low
.
A title for the case.
Maximum length is 160
.
curl \
--request POST https://localhost:5601/api/cases \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
{
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
}
]
}
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzUzMiwxXQ==",
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"created_at": "2022-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 0,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
or all
privileges and the delete
sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
The cases that you want to removed. All non-ASCII characters must be URL encoded.
curl \
--request DELETE https://localhost:5601/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43 \
--header "kbn-xsrf: string"
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.
curl \
--request PATCH https://localhost:5601/api/cases \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"cases":[{"id":"a18b38a0-71b0-11ea-a0b2-c51ea50a58e2","tags":["tag-1"],"version":"WzIzLDFd","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":null,"issueType":"10006"}},"description":"A case description.","customFields":[{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":false},{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My new field value"}]}]}'
{
"cases": [
{
"id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"version": "WzIzLDFd",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": null,
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": false
},
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My new field value"
}
]
}
]
}
[
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzU0OCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": null,
"issueType": "10006"
}
},
"created_at": "2023-10-13T09:16:17.416Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T09:48:33.043Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My new field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": false
}
],
"totalComment": 0,
"external_service": {
"pushed_at": "2023-10-13T09:20:40.672Z",
"pushed_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"external_id": "10003",
"connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
"external_url": "https://hms.atlassian.net/browse/IS-4",
"connector_name": "Jira",
"external_title": "IS-4"
}
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Filters the returned cases by assignees. Valid values are none
or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.
Filters the returned cases by category.
he default operator to use for the simple_query_string.
Default value is OR
.
Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
The page number to return.
Default value is 1
.
The number of items to return. Limited to 100 items.
Maximum value is 100
. Default value is 20
.
Filters the returned cases by the user name of the reporter.
An Elasticsearch simple_query_string query that filters the objects in the response.
The fields to perform the simple_query_string parsed query against.
The severity of the case.
Values are critical
, high
, low
, or medium
.
Determines which field is used to sort the results.
Values are createdAt
, updatedAt
, closedAt
, title
, category
, status
, or severity
. Default value is createdAt
.
Determines the sort order.
Values are asc
or desc
. Default value is desc
.
Filters the returned cases by state.
Values are closed
, in-progress
, or open
.
Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.
curl \
--request GET https://localhost:5601/api/cases/_find
{
"page": 1,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title",
"status": "open",
"version": "WzExMCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-12T00:16:36.371Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-12T00:27:58.162Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "Case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
],
"total": 1,
"per_page": 5,
"count_open_cases": 1,
"count_closed_cases": 0,
"count_in_progress_cases": 0
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414
{
"id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzM2LDFd",
"category": null,
"comments": [
{
"id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-13T15:40:32.335Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T15:40:32.335Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
{
"id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
"tags": [
"observability",
"tag 1"
],
"owner": "observability",
"title": "Observability case title 1",
"status": "in-progress",
"version": "WzI0NywyXQ==",
"category": null,
"comments": [
{
"id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
"rule": {
"id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
"name": "Observability rule"
},
"type": "alert",
"index": [
".internal.alerts-observability.logs.alerts-default-000001"
],
"owner": "observability",
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"version": "WzY3LDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
},
{
"id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
"type": "user",
"owner": "observability",
"comment": "The first comment.",
"version": "WzcyLDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:57.812Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-11-06T19:29:04.086Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": "2023-11-06T19:47:55.662Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "An Observability case description.",
"totalAlerts": 1,
"customFields": [],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
The add comment to case API request body varies depending on whether you are adding an alert or a comment.
Defines properties for case comment requests when type is alert.
The alert identifiers. It is required only when type
is alert
. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index
must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The alert indices. It is required only when type
is alert
. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId
array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
The rule that is associated with the alerts. It is required only when type
is alert
. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Additional properties are allowed.
The type of comment.
Value is alert
.
curl \
--request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"type":"user","owner":"cases","comment":"A new comment."}'
{
"type": "user",
"owner": "cases",
"comment": "A new comment."
}
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
The update case comment API request body varies depending on whether you are updating an alert or a comment.
Defines properties for case comment requests when type is alert.
The alert identifiers. It is required only when type
is alert
. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index
must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The identifier for the comment. To retrieve comment IDs, use the get comments API.
The alert indices. It is required only when type
is alert
. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId
array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
The rule that is associated with the alerts. It is required only when type
is alert
. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Additional properties are allowed.
The type of comment.
Value is alert
.
The current comment version. To retrieve version values, use the get comments API.
curl \
--request PATCH https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"id":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","type":"user","owner":"cases","comment":"An updated comment.","version":"Wzk1LDFd"}'
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "An updated comment.",
"version": "Wzk1LDFd"
}
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIwNjM2LDFd",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "An updated comment.",
"version": "WzIwNjM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-24T00:37:10.832Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-24T01:27:06.210Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-24T01:27:06.210Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My new field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": false
}
],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Retrieves a paginated list of comments for a case. You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/_find
{
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"category": "string",
"closed_at": "2025-05-04T09:42:00+00:00",
"closed_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"comments": [
{
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"id": "73362370-ab1a-11ec-985f-97e55adae8b9",
"index": [
".internal.alerts-security.alerts-default-000001"
],
"owner": "cases",
"pushed_at": "2025-05-04T09:42:00+00:00",
"pushed_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"rule": {
"id": "94d80550-aaf4-11ec-985f-97e55adae8b9",
"name": "security_rule"
},
"type": "alert",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"version": "WzMwNDgsMV0="
}
],
"connector": {
"fields": "string",
"id": "none",
"name": "none",
"type": ".none"
},
"created_at": "2022-05-13T09:16:17.416Z",
"created_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"customFields": [
{
"key": "string",
"type": "text",
"value": "string"
}
],
"description": "A case description.",
"duration": 120,
"external_service": {
"connector_id": "string",
"connector_name": "string",
"external_id": "string",
"external_title": "string",
"external_url": "string",
"pushed_at": "2025-05-04T09:42:00+00:00",
"pushed_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
}
},
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"owner": "cases",
"settings": {
"syncAlerts": true
},
"severity": "low",
"status": "closed",
"tags": [
"tag-1"
],
"title": "Case title 1",
"totalAlerts": 0,
"totalComment": 0,
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"version": "WzUzMiwxXQ=="
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.
curl \
--request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2
{
"id": "8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzIzLDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-07T19:32:13.104Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}