Get rule details

GET /api/alerting/rule/{id}
Api key auth Basic auth

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object

      Additional properties are allowed.

    • monitoring object

      Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • total_alerts_created number | null

              Total number of alerts created during last rule run.

            • total_alerts_detected number | null

              Total number of alerts detected during last rule run.

            • total_indexing_duration_ms number | null

              Total time spent indexing documents during last rule run in milliseconds.

            • total_search_duration_ms number | null

              Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • view_in_app_relative_url string | null

      Relative URL to view rule in the app.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id} 
curl \
 --request GET 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "actions": [
    {
      "alerts_filter": {
        "query": {
          "dsl": "string",
          "filters": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {},
              "query": {}
            }
          ],
          "kql": "string"
        },
        "timeframe": {
          "days": [
            1
          ],
          "hours": {
            "end": "string",
            "start": "string"
          },
          "timezone": "string"
        }
      },
      "connector_type_id": "string",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": true,
        "throttle": "string"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "use_alert_data_for_template": true,
      "uuid": "string"
    }
  ],
  "active_snoozes": [
    "string"
  ],
  "alert_delay": {
    "active": 42.0
  },
  "api_key_created_by_user": true,
  "api_key_owner": "string",
  "consumer": "string",
  "created_at": "string",
  "created_by": "string",
  "enabled": true,
  "execution_status": {
    "error": {
      "message": "string",
      "reason": "read"
    },
    "last_duration": 42.0,
    "last_execution_date": "string",
    "status": "ok",
    "warning": {
      "message": "string",
      "reason": "maxExecutableActions"
    }
  },
  "flapping": {
    "look_back_window": 42.0,
    "status_change_threshold": 42.0
  },
  "id": "string",
  "is_snoozed_until": "string",
  "last_run": {
    "alerts_count": {
      "active": 42.0,
      "ignored": 42.0,
      "new": 42.0,
      "recovered": 42.0
    },
    "outcome": "succeeded",
    "outcome_msg": [
      "string"
    ],
    "outcome_order": 42.0,
    "warning": "read"
  },
  "mapped_params": {},
  "monitoring": {
    "run": {
      "calculated_metrics": {
        "p50": 42.0,
        "p95": 42.0,
        "p99": 42.0,
        "success_ratio": 42.0
      },
      "history": [
        {
          "duration": 42.0,
          "outcome": "succeeded",
          "success": true,
          "timestamp": 42.0
        }
      ],
      "last_run": {
        "metrics": {
          "duration": 42.0,
          "gap_duration_s": 42.0,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_alerts_created": 42.0,
          "total_alerts_detected": 42.0,
          "total_indexing_duration_ms": 42.0,
          "total_search_duration_ms": 42.0
        },
        "timestamp": "string"
      }
    }
  },
  "mute_all": true,
  "muted_alert_ids": [
    "string"
  ],
  "name": "string",
  "next_run": "string",
  "notify_when": "onActionGroupChange",
  "params": {},
  "revision": 42.0,
  "rule_type_id": "string",
  "running": true,
  "schedule": {
    "interval": "string"
  },
  "scheduled_task_id": "string",
  "snooze_schedule": [
    {
      "duration": 42.0,
      "id": "string",
      "rRule": {
        "byhour": [
          42.0
        ],
        "byminute": [
          42.0
        ],
        "bymonth": [
          42.0
        ],
        "bymonthday": [
          42.0
        ],
        "bysecond": [
          42.0
        ],
        "bysetpos": [
          42.0
        ],
        "byweekday": [
          "string"
        ],
        "byweekno": [
          42.0
        ],
        "byyearday": [
          42.0
        ],
        "count": 42.0,
        "dtstart": "string",
        "freq": 0,
        "interval": 42.0,
        "tzid": "string",
        "until": "string",
        "wkst": "MO"
      },
      "skipRecurrences": [
        "string"
      ]
    }
  ],
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updated_at": "string",
  "updated_by": "string",
  "view_in_app_relative_url": "string"
}

Delete a rule

DELETE /api/alerting/rule/{id}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id} 
curl \
 --request DELETE 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Schedule a snooze for the rule

POST /api/alerting/rule/{id}/snooze_schedule
Api key auth Basic auth

When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    Identifier of the rule.

application/json

Body

  • schedule object Required

    Additional properties are NOT allowed.

    Hide schedule attribute Show schedule attribute object
    • custom object

      Additional properties are NOT allowed.

      Hide custom attributes Show custom attributes object
      • duration string Required

        The duration of the schedule. It allows values in <integer><unit> format. <unit> is one of d, h, m, or s for hours, minutes, seconds. For example: 1d, 5h, 30m, 5000s.

      • recurring object

        Additional properties are NOT allowed.

        Hide recurring attributes Show recurring attributes object
        • end string

          The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: 2025-04-01T00:00:00.000Z.

        • every string

          The interval and frequency of a recurring schedule. It allows values in <integer><unit> format. <unit> is one of d, w, M, or y for days, weeks, months, years. For example: 15d, 2w, 3m, 1y.

        • occurrences number

          The total number of recurrences of the schedule.

          Minimum value is 1.

        • onMonth array[number]

          The specific months for a recurring schedule. Valid values are 1-12.

          At least 1 element. Minimum value of each is 1, maximum value of each is 12.

        • onMonthDay array[number]

          The specific days of the month for a recurring schedule. Valid values are 1-31.

          At least 1 element. Minimum value of each is 1, maximum value of each is 31.

        • onWeekDay array[string]

          The specific days of the week ([MO,TU,WE,TH,FR,SA,SU]) or nth day of month ([+1MO, -3FR, +2WE, -4SA, -5SU]) for a recurring schedule.

          At least 1 element.

      • start string Required

        The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: 2025-03-12T12:00:00.000Z.

      • timezone string

        The timezone of the schedule. The default timezone is UTC.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • body object Required

      Additional properties are NOT allowed.

      Hide body attribute Show body attribute object
      • schedule object Required

        Additional properties are NOT allowed.

        Hide schedule attributes Show schedule attributes object
        • custom object

          Additional properties are NOT allowed.

          Hide custom attributes Show custom attributes object
          • duration string Required

            The duration of the schedule. It allows values in <integer><unit> format. <unit> is one of d, h, m, or s for hours, minutes, seconds. For example: 1d, 5h, 30m, 5000s.

          • recurring object

            Additional properties are NOT allowed.

            Hide recurring attributes Show recurring attributes object
            • end string

              The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: 2025-04-01T00:00:00.000Z.

            • every string

              The interval and frequency of a recurring schedule. It allows values in <integer><unit> format. <unit> is one of d, w, M, or y for days, weeks, months, years. For example: 15d, 2w, 3m, 1y.

            • occurrences number

              The total number of recurrences of the schedule.

              Minimum value is 1.

            • onMonth array[number]

              The specific months for a recurring schedule. Valid values are 1-12.

              At least 1 element. Minimum value of each is 1, maximum value of each is 12.

            • onMonthDay array[number]

              The specific days of the month for a recurring schedule. Valid values are 1-31.

              At least 1 element. Minimum value of each is 1, maximum value of each is 31.

            • onWeekDay array[string]

              The specific days of the week ([MO,TU,WE,TH,FR,SA,SU]) or nth day of month ([+1MO, -3FR, +2WE, -4SA, -5SU]) for a recurring schedule.

              At least 1 element.

          • start string Required

            The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: 2025-03-12T12:00:00.000Z.

          • timezone string

            The timezone of the schedule. The default timezone is UTC.

        • id string Required

          Identifier of the snooze schedule.
  • 400

    Indicates an invalid schema.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given id does not exist.

POST /api/alerting/rule/{id}/snooze_schedule 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}/snooze_schedule' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"schedule":{"custom":{"duration":"string","recurring":{"end":"string","every":"string","occurrences":42.0,"onMonth":[42.0],"onMonthDay":[42.0],"onWeekDay":["string"]},"start":"string","timezone":"string"}}}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "schedule": {
    "custom": {
      "duration": "string",
      "recurring": {
        "end": "string",
        "every": "string",
        "occurrences": 42.0,
        "onMonth": [
          42.0
        ],
        "onMonthDay": [
          42.0
        ],
        "onWeekDay": [
          "string"
        ]
      },
      "start": "string",
      "timezone": "string"
    }
  }
}
Response examples (200) 
{
  "body": {
    "schedule": {
      "custom": {
        "duration": "string",
        "recurring": {
          "end": "string",
          "every": "string",
          "occurrences": 42.0,
          "onMonth": [
            42.0
          ],
          "onMonthDay": [
            42.0
          ],
          "onWeekDay": [
            "string"
          ]
        },
        "start": "string",
        "timezone": "string"
      },
      "id": "string"
    }
  }
}

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get information about rules

GET /api/alerting/rules/_find
Api key auth Basic auth

Query parameters

  • per_page number

    The number of rules to return per page.

    Minimum value is 0. Default value is 10.

  • page number

    The page number to return.

    Minimum value is 1. Default value is 1.

  • default_search_operator string

    The default operator to use for the simple_query_string.

    Values are OR or AND. Default value is OR.

  • search_fields array[string] | string

    The fields to perform the simple_query_string parsed query against.

  • sort_field string

    Determines which field is used to sort the results. The field must exist in the attributes key of the response.

  • sort_order string

    Determines the sort order.

    Values are asc or desc.

  • has_reference object | null

    Filters the rules that have a relation with the reference objects with a specific type and identifier.

    Additional properties are NOT allowed.

    Hide has_reference attributes Show has_reference attributes object | null
  • fields array[string]

    The fields to return in the attributes key of the response.

  • filter string

    A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.

  • filter_consumers array[string]

    List of consumers to filter.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object

      Additional properties are allowed.

    • monitoring object

      Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • total_alerts_created number | null

              Total number of alerts created during last rule run.

            • total_alerts_detected number | null

              Total number of alerts detected during last rule run.

            • total_indexing_duration_ms number | null

              Total time spent indexing documents during last rule run in milliseconds.

            • total_search_duration_ms number | null

              Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • view_in_app_relative_url string | null

      Relative URL to view rule in the app.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

GET /api/alerting/rules/_find 
curl \
 --request GET 'https://localhost:5601/api/alerting/rules/_find' \
 --header "Authorization: $API_KEY"
Response examples (200)
A response that contains information about an index threshold rule. 
{
  "data": [
    {
      "id": "3583a470-74f6-11ed-9801-35303b735aef",
      "name": "my alert",
      "tags": [
        "cpu"
      ],
      "params": {
        "index": [
          "test-index"
        ],
        "aggType": "avg",
        "groupBy": "top",
        "aggField": "sheet.version",
        "termSize": 6,
        "termField": "name.keyword",
        "threshold": [
          1000
        ],
        "timeField": "@timestamp",
        "timeWindowSize": 5,
        "timeWindowUnit": "m",
        "thresholdComparator": ">"
      },
      "actions": [
        {
          "id": "9dca3e00-74f5-11ed-9801-35303b735aef",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "threshold met",
          "params": {
            "level": "info",
            "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
            "connector_type_id": ".server-log"
          },
          "frequency": {
            "summary": false,
            "throttle": null,
            "notify_when": "onActionGroupChange"
          }
        }
      ],
      "enabled": true,
      "consumer": "alerts",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": null,
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        }
      },
      "mute_all": false,
      "next_run": "2022-12-06T01:45:23.912Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2022-12-05T23:40:33.132Z",
      "created_by": "elastic",
      "updated_at": "2022-12-05T23:40:33.132Z",
      "updated_by": "elastic",
      "rule_type_id": ".index-threshold",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 48,
        "last_execution_date": "2022-12-06T01:44:23.983Z"
      },
      "scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}
A response that contains information about a security rule that has conditional actions. 
{
  "data": [
    {
      "id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "name": "security_rule",
      "tags": [],
      "params": {
        "to": "now",
        "from": "now-3660s",
        "meta": {
          "from": "1h",
          "kibana_siem_app_url": "https://localhost:5601/app/security"
        },
        "type": "threshold",
        "index": [
          "kibana_sample_data_logs"
        ],
        "query": "*",
        "author": [],
        "ruleId": "an_internal_rule_id",
        "threat": [],
        "filters": [],
        "license": "",
        "version": 1,
        "language": "kuery",
        "severity": "low",
        "immutable": false,
        "riskScore": 21,
        "threshold": {
          "field": [
            "bytes"
          ],
          "value": 1,
          "cardinality": []
        },
        "maxSignals": 100,
        "references": [],
        "description": "A security threshold rule.",
        "outputIndex": "",
        "exceptionsList": [],
        "falsePositives": [],
        "severityMapping": [],
        "riskScoreMapping": []
      },
      "actions": [
        {
          "id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "default",
          "params": {
            "documents": [
              {
                "rule_id": {
                  "[object Object]": null
                },
                "alert_id": {
                  "[object Object]": null
                },
                "rule_name": {
                  "[object Object]": null
                },
                "context_message": {
                  "[object Object]": null
                }
              }
            ]
          },
          "frequency": {
            "summary": true,
            "throttle": null,
            "notify_when": "onActiveAlert"
          },
          "alerts_filter": {
            "query": {
              "kql": "",
              "filters": [
                {
                  "meta": {
                    "key": "client.geo.region_iso_code",
                    "alias": null,
                    "field": "client.geo.region_iso_code",
                    "index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
                    "negate": false,
                    "params": {
                      "type": "phrase",
                      "query": "CA-QC"
                    },
                    "disabled": false
                  },
                  "query": {
                    "match_phrase": {
                      "client.geo.region_iso_code": "CA-QC"
                    }
                  },
                  "$state": {
                    "store": "appState"
                  }
                }
              ]
            },
            "timeframe": {
              "days": [
                7
              ],
              "hours": {
                "end": "17:00",
                "start": "08:00"
              },
              "timezone": "UTC"
            }
          },
          "connector_type_id": ".index"
        }
      ],
      "enabled": true,
      "running": false,
      "consumer": "siem",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": [
          "Rule execution completed successfully"
        ],
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        },
        "outcome_order": 0
      },
      "mute_all": false,
      "next_run": "2023-05-16T20:27:49.507Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2023-05-16T15:50:28.358Z",
      "created_by": "elastic",
      "updated_at": "2023-05-16T20:25:42.559Z",
      "updated_by": "elastic",
      "notify_when": null,
      "rule_type_id": "siem.thresholdRule",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 166,
        "last_execution_date": "2023-05-16T20:26:49.590Z"
      },
      "scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

Get a list of agent configurations

GET /api/apm/settings/agent-configuration
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • configurations array[object]

      Agent configuration

      Agent configuration

      Hide configurations attributes Show configurations attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration 
curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200) 
{
  "configurations": [
    {
      "@timestamp": 1730194190636,
      "agent_name": "string",
      "applied_by_agent": true,
      "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
      "service": {
        "environment": "prod",
        "name": "node"
      },
      "settings": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      }
    }
  ]
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get agent name for service

GET /api/apm/settings/agent-configuration/agent_name
Api key auth Basic auth

Retrieve agentName for a service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/agent_name 
curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200) 
{
  "agentName": "nodejs"
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get single agent configuration

GET /api/apm/settings/agent-configuration/view
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/view 
curl \
 --request GET 'https://localhost:5601/api/apm/settings/agent-configuration/view' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200) 
{
  "id": "string",
  "@timestamp": 1730194190636,
  "agent_name": "string",
  "applied_by_agent": true,
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Create an APM agent key

POST /api/apm/agent_keys
Api key auth Basic auth

Create a new agent key for APM.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • name string Required

    Agent name

  • privileges array[string] Required

    Privileges configuration

    Values are event:write or config_agent:read.

Responses

  • 200 application/json

    Agent key created successfully

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
POST /api/apm/agent_keys 
curl \
 --request POST 'https://localhost:5601/api/apm/agent_keys' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"name":"string","privileges":["event:write"]}'
Request examples 
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "name": "string",
  "privileges": [
    "event:write"
  ]
}
Response examples (200) 
{
  "agentKey": {
    "api_key": "string",
    "encoded": "string",
    "expiration": 42,
    "id": "string",
    "name": "string"
  }
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

Create a case

POST /api/cases
Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • assignees array[object] | null

    An array containing users that are assigned to the case.

    Not more than 10 elements.

    Hide assignees attribute Show assignees attribute object
    • uid string Required

      A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

  • category string

    A word or phrase that categorizes the case.

    Maximum length is 50.

  • connector object Required

    One of:
    Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

    Defines properties for connectors when type is .none.

    Hide attributes Show attributes
    • fields string | null Required

      An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

    • id string Required

      The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

    • name string Required

      The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

    • type string Required

      The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

      Value is .none.

  • customFields array[object]

    Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object
    • key string Required

      The unique identifier for the custom field. The key value must exist in the case configuration settings.

    • type string Required

      The custom field type. It must match the type specified in the case configuration settings.

      Values are text or toggle.

    • value string | null | boolean Required

      The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

      One of:
      string-1 string | null boolean-2 boolean

      Minimum length is 1, maximum length is 160.

  • description string Required

    The description for the case.

    Maximum length is 30000.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • settings object Required

    An object that contains the case settings.

    Hide settings attribute Show settings attribute object
    • syncAlerts boolean Required

      Turns alert syncing on or off.

  • severity string

    The severity of the case.

    Values are critical, high, low, or medium. Default value is low.

  • tags array[string] Required

    The words and phrases that help categorize cases. It can be an empty array.

    Not more than 200 elements. Maximum length of each is 256.

  • title string Required

    A title for the case.

    Maximum length is 160.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required
      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
      Hide attributes Show attributes

    • connector object Required

      One of:
      Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:
        string-1 string | null boolean-2 boolean

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required
      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required
      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases 
curl \
 --request POST 'https://localhost:5601/api/cases' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
Request example 
{
  "tags": [
    "tag-1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "settings": {
    "syncAlerts": true
  },
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "description": "A case description.",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    }
  ]
}
Response examples (200) 
{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "created_at": "2022-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 0,
  "external_service": null
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case creators

GET /api/cases/reporters
Api key auth Basic auth

Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/reporters 
curl \
 --request GET 'https://localhost:5601/api/cases/reporters' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  {
    "email": "jdoe@example.com",
    "username": "jdoe",
    "full_name": "Jane Doe",
    "profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }
]
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Run a connector

POST /api/actions/connector/{id}/_execute
Api key auth Basic auth

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json

Body

  • params object Required

    One of:
    run_acknowledge_resolve_pagerduty object run_documents object run_message_email object run_message_serverlog object run_message_slack object run_trigger_pagerduty object run_addevent object run_closealert object run_closeincident object run_createalert object run_fieldsbyissuetype object run_getchoices object run_getfields object run_getincident object run_issue object run_issues object run_issuetypes object run_postmessage object run_pushtoservice object run_validchannelid object

    Test an action that acknowledges or resolves a PagerDuty alert.

    Hide attributes Show attributes
    • dedupKey string Required

      The deduplication key for the PagerDuty alert.

      Maximum length is 255.

    • eventAction string Required

      The type of event.

      Values are acknowledge or resolve.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • is_missing_secrets boolean

      Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.
POST /api/actions/connector/{id}/_execute 
curl \
 --request POST 'https://localhost:5601/api/actions/connector/{id}/_execute' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}'
Request examples 
{
  "params": {
    "documents": [
      {
        "id": "my_doc_id",
        "name": "my_doc_name",
        "message": "hello, world"
      }
    ]
  }
}
{
  "params": {
    "subAction": "issueTypes"
  }
}
{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [
        "severity",
        "urgency"
      ]
    }
  }
}
{
  "params": {
    "subAction": "postMessage",
    "subActionParams": {
      "text": "A test message.",
      "channelIds": [
        "C123ABC456"
      ]
    }
  }
}
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "comments": [
        {
          "comment": "A comment about the incident.",
          "commentId": 1
        }
      ],
      "incident": {
        "caseId": "1000",
        "caseName": "Case name",
        "description": "Description of the incident."
      }
    }
  }
}
Response examples (200) 
{
  "data": {
    "took": 135,
    "items": [
      {
        "create": {
          "_id": "4JtvwYUBrcyxt2NnfW3y",
          "_index": "my-index",
          "result": "created",
          "status": 201,
          "_seq_no": 0,
          "_shards": {
            "total": 2,
            "failed": 0,
            "successful": 1
          },
          "_version": 1,
          "_primary_term": 1
        }
      }
    ],
    "errors": false
  },
  "status": "ok",
  "connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}
{
  "data": [
    {
      "id": 10024,
      "name": "Improvement"
    },
    {
      "id": 10006,
      "name": "Task"
    },
    {
      "id": 10007,
      "name": "Sub-task"
    },
    {
      "id": 10025,
      "name": "New Feature"
    },
    {
      "id": 10023,
      "name": "Bug"
    },
    {
      "id": 10000,
      "name": "Epic"
    }
  ],
  "status": "ok",
  "connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}
{
  "status": "ok",
  "connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}
{
  "data": [
    {
      "label": "Critical",
      "value": 1,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Major",
      "value": 2,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Minor",
      "value": 3,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Warning",
      "value": 4,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "OK",
      "value": 5,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Clear",
      "value": 0,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "1 - High",
      "value": 1,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "2 - Medium",
      "value": 2,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "3 - Low",
      "value": 3,
      "element": "urgency",
      "dependent_value": ""
    }
  ],
  "status": "ok",
  "connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}
{
  "data": {
    "ok": true,
    "ts": "1234567890.123456",
    "channel": "C123ABC456",
    "message": {
      "ts": "1234567890.123456",
      "team": "T01ABCDE2F",
      "text": "A test message",
      "type": "message",
      "user": "U12A345BC6D",
      "app_id": "A01BC2D34EF",
      "blocks": [
        {
          "type": "rich_text",
          "block_id": "/NXe",
          "elements": [
            {
              "type": "rich_text_section",
              "elements": [
                {
                  "text": "A test message.",
                  "type": "text"
                }
              ]
            }
          ]
        }
      ],
      "bot_id": "B12BCDEFGHI",
      "bot_profile": {
        "id": "B12BCDEFGHI",
        "name": "test",
        "icons": {
          "image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
        },
        "app_id": "A01BC2D34EF",
        "deleted": false,
        "team_id": "T01ABCDE2F",
        "updated": 1672169705
      }
    }
  },
  "status": "ok",
  "connector_id": ".slack_api"
}
{
  "data": {
    "id": "aKPmBHWzmdRQtx6Mx",
    "url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
    "title": "TEST-457",
    "comments": [
      {
        "commentId": 1,
        "pushedDate": "2022-09-08T16:52:27.865Z"
      }
    ],
    "pushedDate": "2022-09-08T16:52:27.866Z"
  },
  "status": "ok",
  "connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}

Get a list of dashboards Technical Preview

GET /api/dashboards/dashboard
Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Query parameters

  • page number

    The page number to return. Default is "1".

    Minimum value is 1. Default value is 1.

  • perPage number

    The number of dashboards to display on each page (max 1000). Default is "20".

    Minimum value is 1, maximum value is 1000.

Responses

GET /api/dashboards/dashboard 
curl \
 --request GET 'https://localhost:5601/api/dashboards/dashboard' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "attributes": {
        "description": "",
        "tags": [
          "string"
        ],
        "timeRestore": false,
        "title": "string"
      },
      "createdAt": "string",
      "createdBy": "string",
      "error": {
        "error": "string",
        "message": "string",
        "metadata": {},
        "statusCode": 42.0
      },
      "id": "string",
      "managed": true,
      "namespaces": [
        "string"
      ],
      "originId": "string",
      "references": [
        {
          "id": "string",
          "name": "string",
          "type": "string"
        }
      ],
      "type": "string",
      "updatedAt": "string",
      "updatedBy": "string",
      "version": "string"
    }
  ],
  "total": 42.0
}

Get a dashboard Technical Preview

GET /api/dashboards/dashboard/{id}
Api key auth Basic auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Path parameters

  • id string Required

    A unique identifier for the dashboard.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • controlGroupInput object

          Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • autoApplySelections boolean

            Show apply selections button in controls.

            Default value is true.

          • chainingSystem string

            The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • controlConfig object

              Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • enhancements object

            Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • ignoreFilters boolean

              Ignore global filters in controls.

              Default value is false.

            • ignoreQuery boolean

              Ignore the global query bar in controls.

              Default value is false.

            • ignoreTimerange boolean

              Ignore the global time range in controls.

              Default value is false.

            • ignoreValidations boolean

              Ignore validations in controls.

              Default value is false.

          • labelPosition string

            Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • description string

          A short description.

          Default value is empty.

        • kibanaSavedObjectMeta object

          A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • searchSource object

            Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]

              A filter for the search source.

              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • hidePanelTitles boolean

            Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • syncTooltips boolean

            Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • panelRefName string
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • refreshInterval object

          A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • tags array[string]

          An array of tags applied to this dashboard

        • timeFrom string

          An ISO string indicating when to restore time from

        • timeRestore boolean

          Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • createdAt string
      • createdBy string
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • updatedAt string
      • updatedBy string
      • version string
    • meta object Required

      Additional properties are NOT allowed.

      Hide meta attributes Show meta attributes object
GET /api/dashboards/dashboard/{id} 
curl \
 --request GET 'https://localhost:5601/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "tags": [
        "string"
      ],
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  },
  "meta": {
    "aliasPurpose": "savedObjectConversion",
    "aliasTargetId": "string",
    "outcome": "exactMatch"
  }
}

Update a data view

POST /api/data_views/data_view/{viewId}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • data_view object Required

    The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted.

    Hide data_view attributes Show data_view attributes object
    • allowNoIndex boolean

      Allows the data view saved object to exist before the data is available.

    • fieldFormats object

      A map of field formats by field name.

    • fields object
    • name string
    • runtimeFieldMap object
      Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Hide * attributes Show * attributes object
        • script object Required
          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • timeFieldName string

      The timestamp field name, which you use for time-based data views.

    • title string

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

      • params object Required

        Properties for retrieving rollup fields.

  • refresh_fields boolean

    Reloads the data view fields after the data view is updated.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data_view object
      Hide data_view attributes Show data_view attributes object
      • allowNoIndex boolean

        Allows the data view saved object to exist before the data is available.

      • fieldAttrs object
        Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Hide * attributes Show * attributes object
      • fieldFormats object

        A map of field formats by field name.

      • fields object
      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • runtimeFieldMap object
        Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Hide * attributes Show * attributes object
          • script object Required
            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • timeFieldName string

        The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

        • params object

          Properties for retrieving rollup fields.

      • version string
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId} 
curl \
 --request POST 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"Kibana Sample Data eCommerce","title":"kibana_sample_data_ecommerce","allowNoIndex":false,"timeFieldName":"order_date"},"refresh_fields":true}'
Request example 
{
  "data_view": {
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "allowNoIndex": false,
    "timeFieldName": "order_date"
  },
  "refresh_fields": true
}
Response examples (200) 
{
  "data_view": {
    "allowNoIndex": true,
    "fieldAttrs": {
      "additionalProperty1": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      },
      "additionalProperty2": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      }
    },
    "fieldFormats": {},
    "fields": {},
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "string",
    "namespaces": [
      "default"
    ],
    "runtimeFieldMap": {
      "additionalProperty1": {
        "script": {
          "source": "string"
        },
        "type": "string"
      },
      "additionalProperty2": {
        "script": {
          "source": "string"
        },
        "type": "string"
      }
    },
    "sourceFilters": [
      {
        "value": "string"
      }
    ],
    "timeFieldName": "string",
    "title": "string",
    "typeMeta": {
      "aggs": {},
      "params": {}
    },
    "version": "WzQ2LDJd"
  }
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Update data view fields metadata

POST /api/data_views/data_view/{viewId}/fields
Api key auth Basic auth

Update fields presentation metadata such as count, customLabel, customDescription, and format.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • fields object Required

    The field object.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/fields 
curl \
 --request POST 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/fields' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"fields":{"field1":{"count":123,"customLabel":"Field 1 label"},"field2":{"customLabel":"Field 2 label","customDescription":"Field 2 description"}}}'
Request example 
{
  "fields": {
    "field1": {
      "count": 123,
      "customLabel": "Field 1 label"
    },
    "field2": {
      "customLabel": "Field 2 label",
      "customDescription": "Field 2 description"
    }
  }
}
Response examples (200) 
{
  "acknowledged": true
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Create a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • name string Required

    The name for a runtime field.

  • runtimeField object Required

    The runtime field definition object.

Responses

  • 200 application/json

    Indicates a successful call.
POST /api/data_views/data_view/{viewId}/runtime_field 
curl \
 --request POST 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
Request example 
{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}
Response examples (200) 
{}

Elastic Agent actions

Create an agent binary download source

POST /api/fleet/agent_download_sources
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_download_sources 
curl \
 --request POST 'https://localhost:5601/api/fleet/agent_download_sources' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string","secrets":{"ssl":{"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string"}}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "host": "https://example.com",
  "id": "string",
  "is_default": false,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string"
  }
}
Response examples (200) 
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "key": {
          "id": "string"
        }
      }
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string"
    }
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}
Api key auth Basic auth

Query parameters

Responses

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion} 
curl \
 --request GET 'https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "agent": {
      "privileges": {
        "root": true
      }
    },
    "asset_tags": [
      {
        "asset_ids": [
          "string"
        ],
        "asset_types": [
          "string"
        ],
        "text": "string"
      }
    ],
    "assets": {},
    "categories": [
      "string"
    ],
    "conditions": {
      "elastic": {
        "capabilities": [
          "string"
        ],
        "subscription": "string"
      },
      "kibana": {
        "version": "string"
      }
    },
    "data_streams": [
      {}
    ],
    "description": "string",
    "discovery": {
      "fields": [
        {
          "name": "string"
        }
      ]
    },
    "download": "string",
    "elasticsearch": {},
    "format_version": "string",
    "icons": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "installationInfo": {
      "additional_spaces_installed_kibana": {
        "additionalProperty1": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "additionalProperty2": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ]
      },
      "created_at": "string",
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "install_format_schema_version": "string",
      "install_source": "registry",
      "install_status": "installed",
      "installed_es": [
        {
          "deferred": true,
          "id": "string",
          "type": "index",
          "version": "string"
        }
      ],
      "installed_kibana": [
        {
          "id": "string",
          "originId": "string",
          "type": "dashboard"
        }
      ],
      "installed_kibana_space_id": "string",
      "latest_executed_state": {
        "error": "string",
        "name": "string",
        "started_at": "string"
      },
      "latest_install_failed_attempts": [
        {
          "created_at": "string",
          "error": {
            "message": "string",
            "name": "string",
            "stack": "string"
          },
          "target_version": "string"
        }
      ],
      "name": "string",
      "namespaces": [
        "string"
      ],
      "type": "string",
      "updated_at": "string",
      "verification_key_id": "string",
      "verification_status": "unverified",
      "version": "string"
    },
    "internal": true,
    "keepPoliciesUpToDate": true,
    "latestVersion": "string",
    "license": "string",
    "licensePath": "string",
    "name": "string",
    "notice": "string",
    "owner": {
      "github": "string",
      "type": "elastic"
    },
    "path": "string",
    "policy_templates": [
      {}
    ],
    "readme": "string",
    "release": "ga",
    "screenshots": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "signature_path": "string",
    "source": {
      "license": "string"
    },
    "status": "string",
    "title": "string",
    "type": "integration",
    "vars": [
      {}
    ],
    "version": "string"
  },
  "metadata": {
    "has_policies": true
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package file

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
Api key auth Basic auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Path parameters

Responses

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath} 
curl \
 --request GET 'https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}' \
 --header "Authorization: $API_KEY"
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get enrollment API keys

GET /api/fleet/enrollment_api_keys
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.

Query parameters

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • policy_id string

        The ID of the agent policy the Elastic Agent will be enrolled in.

    • list array[object] Required Deprecated
      Hide list attributes Show list attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • policy_id string

        The ID of the agent policy the Elastic Agent will be enrolled in.

    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys 
curl \
 --request GET 'https://localhost:5601/api/fleet/enrollment_api_keys' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "list": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete output

DELETE /api/fleet/outputs/{outputId}
Api key auth Basic auth

Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

DELETE /api/fleet/outputs/{outputId} 
curl \
 --request DELETE 'https://localhost:5601/api/fleet/outputs/{outputId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"
Response examples (200) 
{
  "id": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get Fleet Server hosts

GET /api/fleet/fleet_server_hosts
Api key auth Basic auth

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.

Responses

GET /api/fleet/fleet_server_hosts 
curl \
 --request GET 'https://localhost:5601/api/fleet/fleet_server_hosts' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "host_urls": [
        "string"
      ],
      "id": "string",
      "is_default": false,
      "is_internal": true,
      "is_preconfigured": false,
      "name": "string",
      "proxy_id": "string",
      "secrets": {
        "ssl": {
          "es_key": {
            "id": "string"
          },
          "key": {
            "id": "string"
          }
        }
      },
      "ssl": {
        "certificate": "string",
        "certificate_authorities": [
          "string"
        ],
        "client_auth": "optional",
        "es_certificate": "string",
        "es_certificate_authorities": [
          "string"
        ],
        "es_key": "string",
        "key": "string"
      }
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Fleet service tokens

Sync saved objects in the default space

GET /api/ml/saved_objects/sync
Api key auth Basic auth

Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have all privileges for the Machine Learning feature in the Analytics section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.

Query parameters

  • simulate boolean

    When true, simulates the synchronization by returning only the list of actions that would be performed.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
    • datafeedsAdded object

      If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.

      Hide datafeedsAdded attribute Show datafeedsAdded attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • datafeedsRemoved object

      If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.

      Hide datafeedsRemoved attribute Show datafeedsRemoved attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • savedObjectsCreated object

      If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.

      Hide savedObjectsCreated attributes Show savedObjectsCreated attributes object
      • anomaly-detector object

        If saved objects are missing for anomaly detection jobs, they are created.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • data-frame-analytics object

        If saved objects are missing for data frame analytics jobs, they are created.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • trained-model object

        If saved objects are missing for trained models, they are created.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

    • savedObjectsDeleted object

      If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.

      Hide savedObjectsDeleted attributes Show savedObjectsDeleted attributes object
      • anomaly-detector object

        If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • data-frame-analytics object

        If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • trained-model object

        If there are saved objects exist for nonexistent trained models, they are deleted.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/ml/saved_objects/sync 
curl \
 --request GET 'https://localhost:5601/api/ml/saved_objects/sync' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "datafeedsAdded": {},
  "datafeedsRemoved": {},
  "savedObjectsCreated": {
    "anomaly-detector": {
      "myjob1": {
        "success": true
      },
      "myjob2": {
        "success": true
      }
    }
  },
  "savedObjectsDeleted": {}
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Create or update a role

PUT /api/security/role/{name}
Api key auth Basic auth

Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • name string Required

    The role name.

    Minimum length is 1, maximum length is 1024.

Query parameters

  • createOnly boolean

    When true, a role is not overwritten if it already exists.

    Default value is false.

application/json

Body

  • description string

    A description for the role.

    Maximum length is 2048.

  • elasticsearch object Required

    Additional properties are NOT allowed.

    Hide elasticsearch attributes Show elasticsearch attributes object
    • cluster array[string]

      Cluster privileges that define the cluster level actions that users can perform.

    • indices array[object]
      Hide indices attributes Show indices attributes object
      • allow_restricted_indices boolean

        Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.

      • field_security object
        Hide field_security attribute Show field_security attribute object
        • * array[string] Additional properties

          The document fields that the role members have read access to.

      • names array[string] Required

        The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).

        At least 1 element.

      • privileges array[string] Required

        The index level privileges that the role members have for the data streams and indices.

        At least 1 element.

      • query string

        A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

    • remote_cluster array[object]
      Hide remote_cluster attributes Show remote_cluster attributes object
      • clusters array[string] Required

        A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

        At least 1 element.

      • privileges array[string] Required

        The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.

        At least 1 element.

    • remote_indices array[object]
      Hide remote_indices attributes Show remote_indices attributes object
      • allow_restricted_indices boolean

        Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.

      • clusters array[string] Required

        A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

        At least 1 element.

      • field_security object
        Hide field_security attribute Show field_security attribute object
        • * array[string] Additional properties

          The document fields that the role members have read access to.

      • names array[string] Required

        A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).

        At least 1 element.

      • privileges array[string] Required

        The index level privileges that role members have for the specified indices.

        At least 1 element.

      • query string

        A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

    • run_as array[string]

      A user name that the role member can impersonate.

  • kibana array[object]
    Hide kibana attributes Show kibana attributes object
  • metadata object

    Additional properties are allowed.

Responses

  • 204

    Indicates a successful call.

PUT /api/security/role/{name} 
curl \
 --request PUT 'https://localhost:5601/api/security/role/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"kibana":[{"base":[],"spaces":["default"],"feature":{"discover":["all"],"dashboard":["all"]}},{"base":["read"],"spaces":["marketing","sales"]}],"metadata":{"version":1},"description":"Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.","elasticsearch":{"cluster":[],"indices":[]}}'
Request examples
Grant access to various features in some spaces. 
{
  "kibana": [
    {
      "base": [],
      "spaces": [
        "default"
      ],
      "feature": {
        "discover": [
          "all"
        ],
        "dashboard": [
          "all"
        ]
      }
    },
    {
      "base": [
        "read"
      ],
      "spaces": [
        "marketing",
        "sales"
      ]
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.",
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant access to dashboard features in a Marketing space. 
{
  "kibana": [
    {
      "base": [],
      "spaces": [
        "marketing"
      ],
      "feature": {
        "dashboard": [
          "read"
        ]
      }
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant dashboard access in the Marketing space.",
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant full access to all features in the default space. 
{
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant Elasticsearch and Kibana feature privileges. 
{
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space.",
  "elasticsearch": {
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "index1",
          "index2"
        ],
        "privileges": [
          "all"
        ]
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "monitor_enrich"
        ]
      }
    ],
    "remote_indices": [
      {
        "names": [
          "remote_index1",
          "remote_index2"
        ],
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "all"
        ]
      }
    ]
  }
}

Resolve saved objects Deprecated

POST /api/saved_objects/_bulk_resolve
Api key auth Basic auth

Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

object object

Responses

  • 200 application/json

    Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_resolve 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_bulk_resolve' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'
Request examples 
# Headers
kbn-xsrf: string

# Payload
[
  {}
]
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Search for saved objects Deprecated

GET /api/saved_objects/_find
Api key auth Basic auth

Retrieve a paginated set of Kibana saved objects.

Query parameters

  • aggs string

    An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the savedObjectType.attributes.title: "myTitle" format must be used. For root fields, the syntax is savedObjectType.rootField. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.

  • default_search_operator string

    The default operator to use for the simple_query_string.

  • fields string | array

    The fields to return in the attributes key of the response.

  • filter string

    The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: savedObjectType.attributes.title: "myTitle". However, if you use a root attribute of a saved object such as updated_at, you will have to define your filter like that: savedObjectType.updated_at > 2018-12-22.

  • has_no_reference object

    Filters to objects that do not have a relationship with the type and identifier combination.

  • has_no_reference_operator string

    The operator to use for the has_no_reference parameter. Either OR or AND. Defaults to OR.

  • has_reference object

    Filters to objects that have a relationship with the type and ID combination.

  • has_reference_operator string

    The operator to use for the has_reference parameter. Either OR or AND. Defaults to OR.

  • page integer

    The page of objects to return.

  • per_page integer

    The number of objects to return per page.

  • search_fields string | array

    The fields to perform the simple_query_string parsed query against.

  • sort_field string

    Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed.

  • type string | array Required

    The saved object types to include.

Responses

  • 200 application/json

    Indicates a successful call.
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/saved_objects/_find 
curl \
 --request GET 'https://localhost:5601/api/saved_objects/_find?type=string' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Resolve import errors

POST /api/saved_objects/_resolve_import_errors
Api key auth Basic auth

To resolve errors from the Import objects API, you can:

  • Retry certain saved objects
  • Overwrite specific saved objects
  • Change references to different saved objects

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • compatibilityMode boolean

    Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the createNewCopies option.

  • createNewCopies boolean

    Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors.

multipart/form-data

Body Required

  • file string(binary)

    The same file given to the import API.

  • retries array[object] Required

    The retry operations, which can specify how to resolve different types of errors.

    Hide retries attributes Show retries attributes object
    • destinationId string

      Specifies the destination ID that the imported object should have, if different from the current ID.

    • id string Required

      The saved object ID.

    • ignoreMissingReferences boolean

      When set to true, ignores missing reference errors. When set to false, does nothing.

    • overwrite boolean

      When set to true, the source object overwrites the conflicting destination object. When set to false, does nothing.

    • replaceReferences array[object]

      A list of type, from, and to used to change the object references.

      Hide replaceReferences attributes Show replaceReferences attributes object
    • type string Required

      The saved object type.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • errors array[object]

      Specifies the objects that failed to resolve.

      NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a missing_references error and a conflict error.

    • success boolean

      Indicates a successful import. When set to false, some objects may not have been created. For additional information, refer to the errors and successResults properties.

    • successCount number

      Indicates the number of successfully resolved records.

    • successResults array[object]

      Indicates the objects that are successfully imported, with any metadata if applicable.

      NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references.
  • 400 application/json

    Bad request.

    Hide response attributes Show response attributes object
POST /api/saved_objects/_resolve_import_errors 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_resolve_import_errors' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --header "kbn-xsrf: string" \
 --form "file=file.ndjson" \
 --form "retries[]={"id"=>"my-pattern", "type"=>"index-pattern", "overwrite"=>true}" \
 --form "retries[]={"id"=>"my-vis", "type"=>"visualization", "overwrite"=>true, "destinationId"=>"another-vis"}" \
 --form "retries[]={"id"=>"my-canvas", "type"=>"canvas", "overwrite"=>true, "destinationId"=>"yet-another-canvas"}" \
 --form "retries[]={"id"=>"my-dashboard", "type"=>"dashboard"}"
Request example 
{"file"=>"file.ndjson", "retries"=>[{"id"=>"my-pattern", "type"=>"index-pattern", "overwrite"=>true}, {"id"=>"my-vis", "type"=>"visualization", "overwrite"=>true, "destinationId"=>"another-vis"}, {"id"=>"my-canvas", "type"=>"canvas", "overwrite"=>true, "destinationId"=>"yet-another-canvas"}, {"id"=>"my-dashboard", "type"=>"dashboard"}]}
Response examples (200) 
{
  "success": true,
  "successCount": 3,
  "successResults": [
    {
      "id": "my-vis",
      "meta": {
        "icon": "visualizeApp",
        "title": "Look at my visualization"
      },
      "type": "visualization"
    },
    {
      "id": "my-search",
      "meta": {
        "icon": "searchApp",
        "title": "Look at my search"
      },
      "type": "search"
    },
    {
      "id": "my-dashboard",
      "meta": {
        "icon": "dashboardApp",
        "title": "Look at my dashboard"
      },
      "type": "dashboard"
    }
  ]
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Apply a bulk action to anonymization fields

POST /api/security_ai_assistant/anonymization_fields/_bulk_action
Api key auth Basic auth

Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.

application/json

Body

  • create array[object]
    Hide create attributes Show create attributes object
  • delete object
    Hide delete attributes Show delete attributes object
    • ids array[string]

      Array of anonymization fields IDs

      At least 1 element.

    • query string

      Query to filter anonymization fields

  • update array[object]
    Hide update attributes Show update attributes object

Responses

POST /api/security_ai_assistant/anonymization_fields/_bulk_action 
curl \
 --request POST 'https://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"create":[{"allowed":true,"anonymized":true,"field":"string"}],"delete":{"ids":["string"],"query":"string"},"update":[{"allowed":true,"anonymized":true,"id":"string"}]}'
Request examples 
{
  "create": [
    {
      "allowed": true,
      "anonymized": true,
      "field": "string"
    }
  ],
  "delete": {
    "ids": [
      "string"
    ],
    "query": "string"
  },
  "update": [
    {
      "allowed": true,
      "anonymized": true,
      "id": "string"
    }
  ]
}
Response examples (200) 
{
  "anonymization_fields_count": 42,
  "attributes": {
    "errors": [
      {
        "anonymization_fields": [
          {
            "id": "string",
            "name": "string"
          }
        ],
        "err_code": "string",
        "message": "string",
        "status_code": 42
      }
    ],
    "results": {
      "created": [
        {
          "allowed": true,
          "anonymized": true,
          "createdAt": "string",
          "createdBy": "string",
          "field": "string",
          "id": "string",
          "namespace": "string",
          "timestamp": "string",
          "updatedAt": "string",
          "updatedBy": "string"
        }
      ],
      "deleted": [
        "string"
      ],
      "skipped": [
        {
          "id": "string",
          "name": "string",
          "skip_reason": "ANONYMIZATION_FIELD_NOT_MODIFIED"
        }
      ],
      "updated": [
        {
          "allowed": true,
          "anonymized": true,
          "createdAt": "string",
          "createdBy": "string",
          "field": "string",
          "id": "string",
          "namespace": "string",
          "timestamp": "string",
          "updatedAt": "string",
          "updatedBy": "string"
        }
      ]
    },
    "summary": {
      "failed": 42,
      "skipped": 42,
      "succeeded": 42,
      "total": 42
    }
  },
  "message": "string",
  "status_code": 42,
  "success": true
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Security detections

Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the Alerts page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.

This API supports both key-based authentication and basic authentication.

To use key-based authentication, create an API key, then specify the key in the header of your API calls.

To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges.

In both cases, the API key is subsequently used for authorization when the rule runs.

If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.

If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.

To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the Detections requirements for a complete list of requirements.

Reads the alert index name if it exists

GET /api/detection_engine/index
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough permissions response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
GET /api/detection_engine/index 
curl \
 --request GET 'https://localhost:5601/api/detection_engine/index' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "name": ".alerts-security.alerts-default",
  "index_mapping_outdated": false
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403) 
{
  "message": "string",
  "status_code": 42
}
Response examples (404) 
{
  "message": "string",
  "status_code": 42
}
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

Delete an alerts index

DELETE /api/detection_engine/index
Api key auth Basic auth

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough permissions response

    Hide response attributes Show response attributes object
  • 404 application/json

    Index does not exist response
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/detection_engine/index 
curl \
 --request DELETE 'https://localhost:5601/api/detection_engine/index' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "acknowledged": true
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403) 
{
  "message": "string",
  "status_code": 42
}
Response examples (404) 
string
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

Update a detection rule

PUT /api/detection_engine/rules
Api key auth Basic auth

Update a detection rule using the rule_id or id field. The original rule is replaced, and all unspecified fields are deleted.

The difference between the id and rule_id is that the id is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas rule_id is a stable rule identifier that can be assigned during rule creation.

When used with API key authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.

If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.

application/json

Body object Required


All unspecified fields are deleted. You cannot modify the id or rule_id values.

Any of:
Security_Detections_API_EqlRuleCreateFields object Security_Detections_API_QueryRuleCreateFields object Security_Detections_API_SavedQueryRuleCreateFields object Security_Detections_API_ThresholdRuleCreateFields object Security_Detections_API_ThreatMatchRuleCreateFields object Security_Detections_API_MachineLearningRuleCreateFields object Security_Detections_API_NewTermsRuleCreateFields object Security_Detections_API_EsqlRuleCreateFields object
  • actions array[object]

    Array defining the automated actions (notifications) taken when alerts are generated.

    Hide actions attributes Show actions attributes object
    • action_type_id string Required

      The action type used for sending notifications, can be:

      • .slack
      • .slack_api
      • .email
      • .index
      • .pagerduty
      • .swimlane
      • .webhook
      • .servicenow
      • .servicenow-itom
      • .servicenow-sir
      • .jira
      • .resilient
      • .opsgenie
      • .teams
      • .torq
      • .tines
      • .d3security
    • alerts_filter object

      Object containing an action’s conditional filters.

      • timeframe (object, optional): Object containing the time frame for when this action can be run.
        • days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.
        • hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.
          • start (string, required): Start time in hh:mm format.
          • end (string, required): End time in hh:mm format.
        • timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
      • query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
        • kql (string, required): A KQL string.
        • filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

      Additional properties are allowed.

    • frequency object

      The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

      Hide frequency attributes Show frequency attributes object
      • notifyWhen string Required

        Defines how often rules run actions.

        Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

      • summary boolean Required

        Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

      • throttle string | null Required

        Defines how often rule actions are taken.

        One of:
        string-1 string | null string-2 string | null

        Values are no_actions or rule.

    • group string

      Optionally groups actions by use cases. Use default for alert notifications.

    • id string Required

      The connector ID.

    • params object Required

      Object containing the allowed connector fields, which varies according to the connector type.

      For Slack:

      • message (string, required): The notification message.

      For email:

      • to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
      • subject (string, optional): Email subject line.
      • message (string, required): Email body text.

      For Webhook:

      • body (string, required): JSON payload.

      For PagerDuty:

      • severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
      • eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
      • dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
      • timestamp (DateTime, optional): ISO-8601 format timestamp.
      • component (string, optional): Source machine component responsible for the event, for example security-solution.
      • group (string, optional): Enables logical grouping of service components.
      • source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
      • summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
      • class (string, optional): Value indicating the class/type of the event.

      Additional properties are allowed.

    • uuid string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • alias_purpose string

    Values are savedObjectConversion or savedObjectImport.

  • alias_target_id string
  • author array[string]

    The rule’s author.

  • building_block_type string

    Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

  • description string Required

    The rule’s description.

    Minimum length is 1.

  • enabled boolean

    Determines whether the rule is enabled. Defaults to true.

  • exceptions_list array[object]

    Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

    Hide exceptions_list attributes Show exceptions_list attributes object
    • id string(nonempty) Required

      ID of the exception container

      Minimum length is 1.

    • list_id string(nonempty) Required

      List ID of the exception container

      Minimum length is 1.

    • namespace_type string Required

      Determines the exceptions validity in rule's Kibana space

      Values are agnostic or single.

    • type string Required

      The exception type

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

  • false_positives array[string]

    String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

  • from string(date-math)

    Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

  • id string(uuid)

    A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

  • interval string

    Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

  • investigation_fields object

    Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

    Hide investigation_fields attribute Show investigation_fields attribute object
    • field_names array[string(nonempty)] Required

      A string that does not contain only whitespace characters

      At least 1 element. Minimum length of each is 1.

  • license string

    The rule's license.

  • max_signals integer

    Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

    This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

    Minimum value is 1. Default value is 100.

  • meta object

    Placeholder for metadata about the rule.

    This field is overwritten when you save changes to the rule’s settings.

    Additional properties are allowed.

  • name string Required

    A human-readable name for the rule.

    Minimum length is 1.

  • namespace string

    Has no effect.

  • note string

    Notes to help investigate alerts produced by the rule.

  • outcome string

    Values are exactMatch, aliasMatch, or conflict.

  • output_index string Deprecated

    (deprecated) Has no effect.

  • references array[string]

    Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

  • related_integrations array[object]

    Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

    NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

    Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

    • package: name of the package (required, unique id)
    • version: version of the package (required, semver-compatible)
    • integration: name of the integration of this package (optional, id within the package)

    There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

    Hide related_integrations attributes Show related_integrations attributes object
    • integration string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • package string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • version string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • required_fields array[object]

    Elasticsearch fields and their types that need to be present for the rule to function.

    The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

    Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

    Hide required_fields attributes Show required_fields attributes object
    • name string(nonempty) Required

      Name of an Elasticsearch field

      Minimum length is 1.

    • type string(nonempty) Required

      Type of the Elasticsearch field

      Minimum length is 1.

  • response_actions array[object]
    One of:
    Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
    Hide attributes Show attributes
    • action_type_id string Required

      Value is .osquery.

    • params object Required
      Hide params attributes Show params attributes object
      • ecs_mapping object

        Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

        Hide ecs_mapping attribute Show ecs_mapping attribute object
      • pack_id string

        To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

      • queries array[object]
        Hide queries attributes Show queries attributes object
      • query string

        To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

      • saved_query_id string

        To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

      • timeout number

        A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

  • risk_score integer Required

    A numerical representation of the alert's severity from 0 to 100, where:

    • 0 - 21 represents low severity
    • 22 - 47 represents medium severity
    • 48 - 73 represents high severity
    • 74 - 100 represents critical severity

    Minimum value is 0, maximum value is 100.

  • risk_score_mapping array[object]

    Overrides generated alerts' risk_score with a value from the source event

    Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • field string Required

      Source event field used to override the default risk_score.

    • operator string Required

      Value is equals.

    • risk_score integer

      A numerical representation of the alert's severity from 0 to 100, where:

      • 0 - 21 represents low severity
      • 22 - 47 represents medium severity
      • 48 - 73 represents high severity
      • 74 - 100 represents critical severity

      Minimum value is 0, maximum value is 100.

    • value string Required
  • rule_id string

    A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

  • rule_name_override string

    Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

  • setup string

    Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

  • severity string Required

    Severity level of alerts produced by the rule, which must be one of the following:

    • low: Alerts that are of interest but generally not considered to be security incidents
    • medium: Alerts that require investigation
    • high: Alerts that require immediate investigation
    • critical: Alerts that indicate it is highly likely a security incident has occurred

    Values are low, medium, high, or critical.

  • severity_mapping array[object]

    Overrides generated alerts' severity with values from the source event

    Hide severity_mapping attributes Show severity_mapping attributes object
    • field string Required

      Source event field used to override the default severity.

    • operator string Required

      Value is equals.

    • severity string Required

      Severity level of alerts produced by the rule, which must be one of the following:

      • low: Alerts that are of interest but generally not considered to be security incidents
      • medium: Alerts that require investigation
      • high: Alerts that require immediate investigation
      • critical: Alerts that indicate it is highly likely a security incident has occurred

      Values are low, medium, high, or critical.

    • value string Required
  • tags array[string]

    String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

  • threat array[object]


    Currently, only threats described using the MITRE ATT&CK™ framework are supported.

    Hide threat attributes Show threat attributes object
    • framework string Required

      Relevant attack framework

    • tactic object Required

      Object containing information on the attack type

      Hide tactic attributes Show tactic attributes object
      • id string Required

        Tactic ID

      • name string Required

        Tactic name

      • reference string Required

        Tactic reference

    • technique array[object]

      Array containing information on the attack techniques (optional)

      Hide technique attributes Show technique attributes object
      • id string Required

        Technique ID

      • name string Required

        Technique name

      • reference string Required

        Technique reference

      • subtechnique array[object]

        Array containing more specific information on the attack technique.

        Hide subtechnique attributes Show subtechnique attributes object
        • id string Required

          Subtechnique ID

        • name string Required

          Subtechnique name

        • reference string Required

          Subtechnique reference

  • throttle string | null

    Defines how often rule actions are taken.

    One of:
    string-1 string | null string-2 string | null

    Values are no_actions or rule.

  • timeline_id string

    Timeline template ID

  • timeline_title string

    Timeline template title

  • timestamp_override string

    Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

  • timestamp_override_fallback_disabled boolean

    Disables the fallback to the event's @timestamp field

  • to string
  • version integer

    The rule's version number.

    • For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).
    • For custom rules it is set to 1 when the rule is created.

    It is not incremented on each update. Compare this to the revision field.

    Minimum value is 1.

  • language string Required

    Query language to use

    Value is eql.

  • query string Required

    Query used by the rule to create alerts.

    • For indicator match rules, only the query’s results are used to determine whether an alert is generated.
    • ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
  • type string Required Discriminator

    Rule type

    Value is eql.

  • alert_suppression object

    Defines alert suppression configuration.

    Hide alert_suppression attributes Show alert_suppression attributes object
    • duration object
      Hide duration attributes Show duration attributes object
      • unit string Required

        Time unit

        Values are s, m, or h.

      • value integer Required

        Minimum value is 1.

    • group_by array[string] Required

      At least 1 but not more than 3 elements.

    • missing_fields_strategy string

      Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

      Values are doNotSuppress or suppress.

  • data_view_id string
  • event_category_override string
  • filters array

    The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

    This field is not supported for ES|QL rules.

  • index array[string]

    Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

    This field is not supported for ES|QL rules.

  • tiebreaker_field string

    Sets a secondary field for sorting events

  • timestamp_field string

    Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.

Responses

  • 200 application/json

    Indicates a successful call.

    Any of:
    Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object
    Hide attributes Show attributes
    • actions array[object] Required

      Array defining the automated actions (notifications) taken when alerts are generated.

      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications, can be:

        • .slack
        • .slack_api
        • .email
        • .index
        • .pagerduty
        • .swimlane
        • .webhook
        • .servicenow
        • .servicenow-itom
        • .servicenow-sir
        • .jira
        • .resilient
        • .opsgenie
        • .teams
        • .torq
        • .tines
        • .d3security
      • alerts_filter object

        Object containing an action’s conditional filters.

        • timeframe (object, optional): Object containing the time frame for when this action can be run.
          • days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.
          • hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.
            • start (string, required): Start time in hh:mm format.
            • end (string, required): End time in hh:mm format.
          • timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
        • query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
          • kql (string, required): A KQL string.
          • filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

        Additional properties are allowed.

      • frequency object

        The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          Defines how often rules run actions.

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:
          string-1 string | null string-2 string | null

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        For Slack:

        • message (string, required): The notification message.

        For email:

        • to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
        • subject (string, optional): Email subject line.
        • message (string, required): Email body text.

        For Webhook:

        • body (string, required): JSON payload.

        For PagerDuty:

        • severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
        • eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
        • dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
        • timestamp (DateTime, optional): ISO-8601 format timestamp.
        • component (string, optional): Source machine component responsible for the event, for example security-solution.
        • group (string, optional): Enables logical grouping of service components.
        • source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
        • summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
        • class (string, optional): Value indicating the class/type of the event.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • alias_purpose string

      Values are savedObjectConversion or savedObjectImport.

    • alias_target_id string
    • author array[string] Required

      The rule’s author.

    • building_block_type string

      Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

    • description string Required

      The rule’s description.

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled. Defaults to true.

    • exceptions_list array[object] Required

      Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        ID of the exception container

        Minimum length is 1.

      • list_id string(nonempty) Required

        List ID of the exception container

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required

      String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • investigation_fields object

      Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

      This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

      Minimum value is 1. Default value is 100.

    • meta object

      Placeholder for metadata about the rule.

      This field is overwritten when you save changes to the rule’s settings.

      Additional properties are allowed.

    • name string Required

      A human-readable name for the rule.

      Minimum length is 1.

    • namespace string

      Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required

      Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

    • related_integrations array[object] Required

      Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

      NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

      Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

      • package: name of the package (required, unique id)
      • version: version of the package (required, semver-compatible)
      • integration: name of the integration of this package (optional, id within the package)

      There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

      Hide related_integrations attributes Show related_integrations attributes object
      • integration string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • package string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • version string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • required_fields array[object] Required

      Elasticsearch fields and their types that need to be present for the rule to function.

      The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

      Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

      Hide required_fields attributes Show required_fields attributes object
      • name string(nonempty) Required

        Name of an Elasticsearch field

        Minimum length is 1.

      • type string(nonempty) Required

        Type of the Elasticsearch field

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
      Hide attributes Show attributes
      • action_type_id string Required

        Value is .osquery.

      • params object Required
        Hide params attributes Show params attributes object
        • ecs_mapping object

          Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

          Hide ecs_mapping attribute Show ecs_mapping attribute object
        • pack_id string

          To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

        • queries array[object]
          Hide queries attributes Show queries attributes object
        • query string

          To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

        • saved_query_id string

          To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

        • timeout number

          A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

    • risk_score integer Required

      A numerical representation of the alert's severity from 0 to 100, where:

      • 0 - 21 represents low severity
      • 22 - 47 represents medium severity
      • 48 - 73 represents high severity
      • 74 - 100 represents critical severity

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
      • field string Required

        Source event field used to override the default risk_score.

      • operator string Required

        Value is equals.

      • risk_score integer

        A numerical representation of the alert's severity from 0 to 100, where:

        • 0 - 21 represents low severity
        • 22 - 47 represents medium severity
        • 48 - 73 represents high severity
        • 74 - 100 represents critical severity

        Minimum value is 0, maximum value is 100.

      • value string Required
    • rule_name_override string

      Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

    • setup string Required

      Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

    • severity string Required

      Severity level of alerts produced by the rule, which must be one of the following:

      • low: Alerts that are of interest but generally not considered to be security incidents
      • medium: Alerts that require investigation
      • high: Alerts that require immediate investigation
      • critical: Alerts that indicate it is highly likely a security incident has occurred

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required

        Source event field used to override the default severity.

      • operator string Required

        Value is equals.

      • severity string Required

        Severity level of alerts produced by the rule, which must be one of the following:

        • low: Alerts that are of interest but generally not considered to be security incidents
        • medium: Alerts that require investigation
        • high: Alerts that require immediate investigation
        • critical: Alerts that indicate it is highly likely a security incident has occurred

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required


      Currently, only threats described using the MITRE ATT&CK™ framework are supported.

      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Object containing information on the attack type

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique.

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:
      string-1 string | null string-2 string | null

      Values are no_actions or rule.

    • timeline_id string

      Timeline template ID

    • timeline_title string

      Timeline template title

    • timestamp_override string

      Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

    • timestamp_override_fallback_disabled boolean

      Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      • For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).
      • For custom rules it is set to 1 when the rule is created.

      It is not incremented on each update. Compare this to the revision field.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • execution_summary object

      Summary of the last execution of a rule.

      This field is under development and its usage or schema may change

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required
        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required
          Hide metrics attributes Show metrics attributes object
          • execution_gap_duration_s integer

            Duration in seconds of execution gap

            Minimum value is 0.

          • gap_range object

            Range of the execution gap

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • total_enrichment_duration_ms integer

            Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • total_indexing_duration_ms integer

            Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • total_search_duration_ms integer

            Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      The rule's revision number.

      It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

      Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

      Minimum value is 0.

    • rule_id string Required

      A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:
      Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      Query used by the rule to create alerts.

      • For indicator match rules, only the query’s results are used to determine whether an alert is generated.
      • ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
    • type string Required Discriminator

      Rule type

      Value is eql.

    • alert_suppression object

      Defines alert suppression configuration.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object
        Hide duration attributes Show duration attributes object
        • unit string Required

          Time unit

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • missing_fields_strategy string

        Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • data_view_id string
    • event_category_override string
    • filters array

      The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

      This field is not supported for ES|QL rules.

    • index array[string]

      Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

      This field is not supported for ES|QL rules.

    • tiebreaker_field string

      Sets a secondary field for sorting events

    • timestamp_field string

      Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.
PUT /api/detection_engine/rules 
curl \
 --request PUT 'https://localhost:5601/api/detection_engine/rules' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id":"14b7b513-3d8d-4b22-b7da-a7ae632f7e76","name":"A new name for the rule","type":"query","severity":"medium","risk_score":22,"description":"A new description"}'
Request examples 
{
  "id": "14b7b513-3d8d-4b22-b7da-a7ae632f7e76",
  "name": "A new name for the rule",
  "type": "query",
  "severity": "medium",
  "risk_score": 22,
  "description": "A new description"
}
{
  "id": "9b684efb-acf9-4323-9bff-8335b3867d14",
  "name": "New name for EQL rule",
  "type": "eql",
  "index": [
    "apm-*-transaction*"
  ],
  "query": "process where process.name == \"regsvr32.exe\"",
  "language": "eql",
  "severity": "low",
  "risk_score": 21,
  "description": "eql rule test"
}
{
  "id": "005d2c4f-51ca-493d-a2bd-20ef076339b1",
  "name": "New name for threat rule",
  "tags": [
    "new_tag"
  ],
  "type": "threshold",
  "query": "agent.version : * and agent.id : \"243d9b4f-ca01-4311-8e5c-9abbee91afd8\"",
  "language": "kuery",
  "severity": "low",
  "threshold": {
    "field": [],
    "value": 400,
    "cardinality": []
  },
  "risk_score": 21,
  "description": "Description of threat rule test"
}
{
  "id": "569aac91-40dc-4807-a8ae-a2c8698089c4",
  "name": "New terms rule name",
  "type": "new_terms",
  "query": "agent.version : \"9.1.0\"",
  "interval": "5m",
  "severity": "low",
  "risk_score": 21,
  "description": "New description",
  "new_terms_fields": [
    "Endpoint.policy.applied.artifacts.global.identifiers.name"
  ],
  "history_window_start": "now-7d"
}
{
  "id": "0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd",
  "name": "New name for esql rule",
  "type": "esql",
  "query": "FROM logs*\n| STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */\n| EVAL event_rate = count / DATE_DIFF(\"seconds\", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */\n| KEEP event_rate\n",
  "language": "esql",
  "severity": "low",
  "risk_score": 21,
  "description": "New description for esql rule"
}
{
  "id": "462f1986-10fe-40a3-a22c-2b1c9c4c48fd",
  "name": "New name for Indicator Match rule",
  "type": "threat_match",
  "query": "source.ip:* or destination.ip:*\\n",
  "severity": "critical",
  "risk_score": 99,
  "description": "New description",
  "threat_index": [
    "filebeat-*",
    "logs-ti_*"
  ],
  "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"",
  "threat_mapping": [
    {
      "entries": [
        {
          "type": "mapping",
          "field": "source.ip",
          "value": "threat.indicator.ip"
        }
      ]
    },
    {
      "entries": [
        {
          "type": "mapping",
          "field": "destination.ip",
          "value": "threat.indicator.ip"
        }
      ]
    }
  ]
}
{
  "id": "60b13926-289b-41b1-a537-197ef1fa5059",
  "name": "New name of ml rule",
  "type": "machine_learning",
  "severity": "low",
  "risk_score": 21,
  "description": "New description of ml rule",
  "anomaly_threshold": 50,
  "machine_learning_job_id": [
    "auth_high_count_logon_events"
  ]
}
Response examples (200) 
{
  "id": "6541b99a-dee9-4f6d-a86d-dbd1869d73b1",
  "to": "now",
  "from": "now-70m",
  "name": "Updated Rule Name",
  "tags": [
    "child process",
    "ms office"
  ],
  "type": "query",
  "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
  "setup": "",
  "threat": [],
  "actions": [],
  "enabled": false,
  "filters": [
    {
      "query": null
    }
  ],
  "rule_id": "process_started_by_ms_office_program",
  "version": 2,
  "interval": "1h",
  "language": "kuery",
  "severity": "low",
  "immutable": false,
  "created_at": "2020-04-07T14:51:09.755Z",
  "created_by": "elastic",
  "references": [],
  "risk_score": 50,
  "updated_at": "2020-04-07T14:51:09.970Z",
  "updated_by": "elastic",
  "description": "Updated description for the rule.",
  "max_signals": 100,
  "false_positives": [],
  "required_fields": [
    {
      "name": "process.parent.name"
    }
  ],
  "related_integrations": [
    {
      "package": "o365"
    }
  ]
}

Get action details

GET /api/endpoint/action/{action_id}
Api key auth Basic auth

Get the details of a response action using the action ID.

Path parameters

  • action_id string Required

    The ID of the action to retrieve.

Responses

  • 200 application/json

    OK
GET /api/endpoint/action/{action_id} 
curl \
 --request GET 'https://localhost:5601/api/endpoint/action/fr518850-681a-4y60-aa98-e22640cae2b8' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": {
    "id": "b3d6de74-36b0-4fa8-be46-c375bf1771bf",
    "agents": [
      "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
    ],
    "command": "running-processes",
    "outputs": {
      "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0": {
        "type": "json",
        "content": {
          "entries": [
            {
              "pid": "822",
              "user": "Dexter",
              "command": "/opt/cmd1",
              "entity_id": "fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt"
            },
            {
              "pid": "984",
              "user": "Jada",
              "command": "/opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3",
              "entity_id": "pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt"
            }
          ]
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "elastic",
    "isExpired": false,
    "startedAt": "2022-08-08T15:24:57.402Z",
    "completedAt": "2022-08-08T09:50:47.672Z",
    "isCompleted": true,
    "wasSuccessful": true
  }
}

Run a command

POST /api/endpoint/action/execute
Api key auth Basic auth

Run a shell command on an endpoint.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attributes Show parameters attributes object
    • command string Required

      The command to be executed (cannot be an empty string)

      Minimum length is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, or scan.

    • timeout integer

      The maximum timeout value in milliseconds (optional)

      Minimum value is 1.

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/execute 
curl \
 --request POST 'https://localhost:5601/api/endpoint/action/execute' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Get list of all files","parameters":{"command":"ls -al","timeout":600},"endpoint_ids":["b3d6de74-36b0-4fa8-be46-c375bf1771bf"]}'
Request example 
{
  "comment": "Get list of all files",
  "parameters": {
    "command": "ls -al",
    "timeout": 600
  },
  "endpoint_ids": [
    "b3d6de74-36b0-4fa8-be46-c375bf1771bf"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "9f934028-2300-4927-b531-b26376793dc4",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "execute",
    "comment": "Get list of all files",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2023-07-28T18:43:27.362Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "command": "ls -al",
      "timeout": 600
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Security lists

Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

  • List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
    • boolean
    • byte
    • date
    • date_nanos
    • date_range
    • double
    • double_range
    • float
    • float_range
    • half_float
    • integer
    • integer_range
    • ip
    • ip_range
    • keyword
    • long
    • long_range
    • short
    • text
  • List items: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named internal-ip-addresses-southport contains five items, where each item defines one internal IP address:

  1. 192.168.1.1
  2. 192.168.1.3
  3. 192.168.1.18
  4. 192.168.1.12
  5. 192.168.1.7

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception list item that references the internal-ip-addresses-southport list.

Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (is in list, is not in list). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's exceptions_list object.

Lists requirements

Before you can start using lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.

Security timeline

You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.

Get notes

GET /api/note
Api key auth Basic auth

Get all notes for a given document.

Query parameters

Responses

  • 200 application/json

    Indicates the requested notes were returned.

    Hide response attributes Show response attributes object
    • notes array[object] Required
      Hide notes attributes Show notes attributes object
      • created number | null

        The time the note was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the note.

      • updated number | null

        The last time the note was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the note

      • eventId string | null

        The _id of the associated event for this note.

      • note string | null

        The text of the note

      • timelineId string Required

        The savedObjectId of the Timeline that this note is associated with

      • noteId string Required

        The savedObjectId of the note

      • version string Required

        The version of the note

    • totalCount number Required
GET /api/note 
curl \
 --request GET 'https://localhost:5601/api/note' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "notes": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "totalCount": 42.0
}

Create a clean draft Timeline or Timeline template

POST /api/timeline/_draft
Api key auth Basic auth

Create a clean draft Timeline or Timeline template for the current user.

If the user already has a draft Timeline, the existing draft Timeline is cleared and returned.

application/json

Body Required

The type of Timeline to create. Valid values are default and template.

  • timelineType string | null Required

    The type of Timeline.

    Values are default or template.

Responses

POST /api/timeline/_draft 
curl \
 --request POST 'https://localhost:5601/api/timeline/_draft' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"timelineType":"default"}'
Request examples 
{
  "timelineType": "default"
}
Response examples (200) 
{
  "columns": [
    {
      "id": "@timestamp",
      "columnHeaderType": "not-filtered"
    },
    {
      "id": "event.category",
      "columnHeaderType": "not-filtered"
    }
  ],
  "created": 1587468588922,
  "createdBy": "casetester",
  "dataProviders": [
    {
      "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
      "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
      "enabled": true,
      "excluded": false,
      "queryMatch": {
        "field": "_id,",
        "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
        "operator": ":"
      }
    }
  ],
  "dataViewId": "security-solution-default",
  "dateRange": {
    "end": 1587456479201,
    "start": 1587370079200
  },
  "description": "Investigating exposure of CVE XYZ",
  "eqlOptions": {
    "size": 100,
    "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
    "timestampField": "@timestamp",
    "eventCategoryField": "event.category"
  },
  "eventType": "all",
  "excludedRowRendererIds": [
    "alert"
  ],
  "favorite": [
    {
      "userName": "elastic",
      "favoriteDate": 1741337636741
    }
  ],
  "filters": [
    {
      "meta": {
        "key": "@timestamp",
        "type": "exists",
        "alias": "Custom filter name",
        "index": ".alerts-security.alerts-default,logs-*",
        "value": "exists",
        "negate": "false,",
        "disabled": false
      },
      "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
    }
  ],
  "indexNames": [
    ".logs*"
  ],
  "kqlMode": "search",
  "kqlQuery": {
    "kuery": {
      "kind": "kuery",
      "expression": "_id : *"
    },
    "filterQuery": null,
    "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
  },
  "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
  "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "sort": {
    "columnId": "@timestamp",
    "sortDirection": "desc"
  },
  "status": "active",
  "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
  "templateTimelineVersion": 12,
  "timelineType": "default",
  "title": "CVE XYZ investigation",
  "updated": 1741344876825,
  "updatedBy": "casetester",
  "savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
  "version": "WzE0LDFd",
  "eventIdToNoteIds": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "noteIds": [
    "709f99c6-89b6-4953-9160-35945c8e174e"
  ],
  "notes": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "note": "This is an example text",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
      "version": "WzQ2LDFd"
    }
  ],
  "pinnedEventIds": [
    "983f99c6-89b6-4953-9160-35945c8a194f"
  ],
  "pinnedEventsSaveObject": [
    {
      "created": 1587468588922,
      "createdBy": "casetester",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
      "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
      "version": "WzQ2LDFe"
    }
  ]
}
Response examples (403) 
{
  "message": "string",
  "status_code": 42.0
}
Response examples (409) 
{
  "message": "string",
  "status_code": 42.0
}

Get Timelines or Timeline templates

GET /api/timelines
Api key auth Basic auth

Get a list of all saved Timelines or Timeline templates.

Query parameters

  • only_user_favorite string | null

    If true, only timelines that are marked as favorites by the user are returned.

    Values are true or false.

  • timeline_type string | null

    The type of Timeline.

    Values are default or template.

  • sort_field string

    The field to sort the timelines by.

    Values are title, description, updated, or created.

  • sort_order string

    Whether to sort the results ascending or descending

    Values are asc or desc.

  • page_size string | null

    How many results should returned at once

  • page_index string | null

    How many pages should be skipped

  • status string | null

    The status of the Timeline.

    Values are active, draft, or immutable.

Responses

GET /api/timelines 
curl \
 --request GET 'https://localhost:5601/api/timelines' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "customTemplateTimelineCount": 2,
  "defaultTimelineCount": 90,
  "elasticTemplateTimelineCount": 8,
  "favoriteCount": 5,
  "templateTimelineCount": 10,
  "timeline": [
    {
      "columns": [
        {
          "id": "@timestamp",
          "columnHeaderType": "not-filtered"
        },
        {
          "id": "event.category",
          "columnHeaderType": "not-filtered"
        }
      ],
      "created": 1587468588922,
      "createdBy": "casetester",
      "dataProviders": [
        {
          "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
          "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
          "enabled": true,
          "excluded": false,
          "queryMatch": {
            "field": "_id,",
            "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
            "operator": ":"
          }
        }
      ],
      "dataViewId": "security-solution-default",
      "dateRange": {
        "end": 1587456479201,
        "start": 1587370079200
      },
      "description": "Investigating exposure of CVE XYZ",
      "eqlOptions": {
        "size": 100,
        "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
        "timestampField": "@timestamp",
        "eventCategoryField": "event.category"
      },
      "eventType": "all",
      "excludedRowRendererIds": [
        "alert"
      ],
      "favorite": [
        {
          "userName": "elastic",
          "favoriteDate": 1741337636741
        }
      ],
      "filters": [
        {
          "meta": {
            "key": "@timestamp",
            "type": "exists",
            "alias": "Custom filter name",
            "index": ".alerts-security.alerts-default,logs-*",
            "value": "exists",
            "negate": "false,",
            "disabled": false
          },
          "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
        }
      ],
      "indexNames": [
        ".logs*"
      ],
      "kqlMode": "search",
      "kqlQuery": {
        "kuery": {
          "kind": "kuery",
          "expression": "_id : *"
        },
        "filterQuery": null,
        "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
      },
      "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
      "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
      "sort": {
        "columnId": "@timestamp",
        "sortDirection": "desc"
      },
      "status": "active",
      "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
      "templateTimelineVersion": 12,
      "timelineType": "default",
      "title": "CVE XYZ investigation",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "version": "WzE0LDFd",
      "eventIdToNoteIds": [
        {
          "created": 1587468588922,
          "createdBy": "casetester",
          "updated": 1741344876825,
          "updatedBy": "casetester",
          "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
          "note": "This is an example text",
          "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
          "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
          "version": "WzQ2LDFd"
        }
      ],
      "noteIds": [
        "709f99c6-89b6-4953-9160-35945c8e174e"
      ],
      "notes": [
        {
          "created": 1587468588922,
          "createdBy": "casetester",
          "updated": 1741344876825,
          "updatedBy": "casetester",
          "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
          "note": "This is an example text",
          "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
          "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
          "version": "WzQ2LDFd"
        }
      ],
      "pinnedEventIds": [
        "983f99c6-89b6-4953-9160-35945c8a194f"
      ],
      "pinnedEventsSaveObject": [
        {
          "created": 1587468588922,
          "createdBy": "casetester",
          "updated": 1741344876825,
          "updatedBy": "casetester",
          "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
          "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
          "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
          "version": "WzQ2LDFe"
        }
      ]
    }
  ],
  "totalCount": 100
}
Response examples (400) 
{
  "body": "get timeline error",
  "statusCode": 405
}

Get an SLO

GET /s/{spaceId}/api/observability/slos/{sloId}
Api key auth Basic auth

You must have the read privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • spaceId string Required

    An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.

  • sloId string Required

    An identifier for the slo.

Query parameters

  • instanceId string

    the specific instanceId used by the summary calculation

Responses

  • 200 application/json

    Successful request

    Hide response attributes Show response attributes object
    • budgetingMethod string Required

      The budgeting method to use when computing the rollup data.

      Values are occurrences or timeslices.

    • createdAt string Required

      The creation date

    • description string Required

      The description of the SLO.

    • enabled boolean Required

      Indicate if the SLO is enabled

    • groupBy string | array[string] Required

      optional group by field or fields to use to generate an SLO per distinct value

      One of:
      string-1 string array-2 array[string]
    • id string Required

      The identifier of the SLO.

    • indicator object Required

      One of:
      SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object

      Defines properties for a custom query indicator type

      Hide attributes Show attributes
    • instanceId string Required

      the value derived from the groupBy field, if present, otherwise '*'

    • name string Required

      The name of the SLO.

    • objective object Required

      Defines properties for the SLO objective

      Hide objective attributes Show objective attributes object
      • target number Required

        the target objective between 0 and 1 excluded

        Minimum value is 0, maximum value is 100.

      • timesliceTarget number

        the target objective for each slice when using a timeslices budgeting method

        Minimum value is 0, maximum value is 100.

      • timesliceWindow string

        the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}

    • revision number Required

      The SLO revision

    • settings object Required

      Defines properties for SLO settings.

      Hide settings attributes Show settings attributes object
      • frequency string

        The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.

        Default value is 1m.

      • preventInitialBackfill boolean

        Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.

        Default value is false.

      • syncDelay string

        The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.

        Default value is 1m.

      • syncField string

        The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.

    • summary object Required

      The SLO computed data

      Hide summary attributes Show summary attributes object
      • errorBudget object Required
        Hide errorBudget attributes Show errorBudget attributes object
        • consumed number Required

          The error budget consummed, as a percentage of the initial value.

        • initial number Required

          The initial error budget, as 1 - objective

        • isEstimated boolean Required

          Only for SLO defined with occurrences budgeting method and calendar aligned time window.

        • remaining number Required

          The error budget remaining, as a percentage of the initial value.

      • sliValue number Required
      • status string Required

        Values are NO_DATA, HEALTHY, DEGRADING, or VIOLATED.

    • tags array[string] Required

      List of tags

    • timeWindow object Required

      Defines properties for the SLO time window

      Hide timeWindow attributes Show timeWindow attributes object
      • duration string Required

        the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)

      • type string Required

        Indicates weither the time window is a rolling or a calendar aligned time window.

        Values are rolling or calendarAligned.

    • updatedAt string Required

      The last update date

    • version number Required

      The internal SLO version
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /s/{spaceId}/api/observability/slos/{sloId} 
curl \
 --request GET 'https://localhost:5601/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"
Response examples (200) 
{
  "budgetingMethod": "occurrences",
  "createdAt": "2023-01-12T10:03:19.000Z",
  "description": "My SLO description",
  "enabled": true,
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "id": "8853df00-ae2e-11ed-90af-09bb6422b258",
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "instanceId": "host-abcde",
  "name": "My Service SLO",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "revision": 2,
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m",
    "syncField": "event.ingested"
  },
  "summary": {
    "errorBudget": {
      "consumed": 0.8,
      "initial": 0.02,
      "isEstimated": true,
      "remaining": 0.2
    },
    "sliValue": 0.9836,
    "status": "HEALTHY"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  },
  "updatedAt": "2023-01-12T10:03:19.000Z",
  "version": 2
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}