Update the API key for a rule

POST /api/alerting/rule/{id}/_update_api_key

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

  • Indicates that the rule has already been updated by another user.

POST /api/alerting/rule/{id}/_update_api_key
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_update_api_key \
 --header "kbn-xsrf: true"






































































































Delete all case comments and alerts

DELETE /api/cases/{caseId}/comments

Deletes all comments and alerts from a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases/{caseId}/comments
curl \
 --request DELETE https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 --header "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
























































































































Create a data view

POST /api/data_views/data_view

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • data_view object Required

    The data view object.

    Additional properties are allowed.

    Hide data_view attributes Show data_view attributes object
    • Allows the data view saved object to exist before the data is available.

    • Hide fieldAttrs attribute Show fieldAttrs attribute object
      • * object Additional properties

        A map of field attributes by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
    • A map of field formats by field name.

      Additional properties are allowed.

    • fields object

      Additional properties are allowed.

    • id string
    • name string

      The data view name.

    • namespaces array[string]

      An array of space identifiers for sharing the data view between multiple spaces.

      Default value is default.

    • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
        • script object Required

          Additional properties are allowed.

          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • The timestamp field name, which you use for time-based data views.

    • title string Required

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Additional properties are allowed.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

        Additional properties are allowed.

      • params object Required

        Properties for retrieving rollup fields.

        Additional properties are allowed.

    • version string
  • override boolean

    Override an existing data view if a data view with the provided title already exists.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • Additional properties are allowed.

      Hide data_view attributes Show data_view attributes object
      • Allows the data view saved object to exist before the data is available.

      • Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
      • A map of field formats by field name.

        Additional properties are allowed.

      • fields object

        Additional properties are allowed.

      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • script object Required

            Additional properties are allowed.

            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Additional properties are allowed.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

          Additional properties are allowed.

        • params object

          Properties for retrieving rollup fields.

          Additional properties are allowed.

      • version string
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view
curl \
 --request POST https://localhost:5601/api/data_views/data_view \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"My Logstash data view","title":"logstash-*","runtimeFieldMap":{"runtime_shape_name":{"type":"keyword","script":{"source":"emit(doc['shape_name'].value)"}}}}}'
Request example
{
  "data_view": {
    "name": "My Logstash data view",
    "title": "logstash-*",
    "runtimeFieldMap": {
      "runtime_shape_name": {
        "type": "keyword",
        "script": {
          "source": "emit(doc['shape_name'].value)"
        }
      }
    }
  }
}
Response examples (200)
{
  "data_view": {
    "allowNoIndex": true,
    "fieldAttrs": {
      "additionalProperty1": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      },
      "additionalProperty2": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      }
    },
    "fieldFormats": {},
    "fields": {},
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "string",
    "namespaces": [
      "default"
    ],
    "runtimeFieldMap": {
      "additionalProperty1": {
        "script": {
          "source": "string"
        },
        "type": "string"
      },
      "additionalProperty2": {
        "script": {
          "source": "string"
        },
        "type": "string"
      }
    },
    "sourceFilters": [
      {
        "value": "string"
      }
    ],
    "timeFieldName": "string",
    "title": "string",
    "typeMeta": {
      "aggs": {},
      "params": {}
    },
    "version": "WzQ2LDJd"
  }
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}





































































































































































































































Get agent tags

GET /api/fleet/agents/tags

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agents/tags
curl \
 --request GET https://localhost:5601/api/fleet/agents/tags
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




















































































































Create output

POST /api/fleet/outputs

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body object

Any of:

Responses

POST /api/fleet/outputs
curl \
 --request POST https://localhost:5601/api/fleet/outputs \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"allow_edit":["string"],"ca_sha256":"string","ca_trusted_fingerprint":"string","config_yaml":"string","hosts":["https://example.com"],"id":"string","is_default":false,"is_default_monitoring":false,"is_internal":true,"is_preconfigured":true,"name":"string","preset":"balanced","proxy_id":"string","shipper":{"compression_level":42.0,"disk_queue_compression_enabled":true,"disk_queue_enabled":false,"disk_queue_encryption_enabled":true,"disk_queue_max_size":42.0,"disk_queue_path":"string","loadbalance":true,"max_batch_bytes":42.0,"mem_queue_events":42.0,"queue_flush_timeout":42.0},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string","verification_mode":"full"},"type":"elasticsearch"}'
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "kibana_api_key": "string",
  "kibana_url": "string",
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "kibana_api_key": {
      "id": "string"
    },
    "service_token": {
      "id": "string"
    }
  },
  "service_token": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "sync_integrations": true,
  "type": "remote_elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "logstash"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "auth_type": "none",
  "broker_timeout": 42.0,
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "client_id": "string",
  "compression": "gzip",
  "compression_level": [],
  "config_yaml": "string",
  "connection_type": [],
  "hash": {
    "hash": "string",
    "random": true
  },
  "headers": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "key": "string",
  "name": "string",
  "partition": "random",
  "password": [],
  "proxy_id": "string",
  "random": {
    "group_events": 42.0
  },
  "required_acks": 1,
  "round_robin": {
    "group_events": 42.0
  },
  "sasl": {
    "mechanism": "PLAIN"
  },
  "secrets": {
    "password": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "timeout": 42.0,
  "topic": "string",
  "type": "kafka",
  "username": [],
  "version": "string"
}
Response examples (200)
{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

































Update a package policy

PUT /api/fleet/package_policies/{packagePolicyId}

Update a package policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body object

Any of:
  • Package policy description

  • enabled boolean
  • force boolean
  • inputs array[object]
    Hide inputs attributes Show inputs attributes object
    • config object

      Package variable (see integration documentation for more information)

      Hide config attribute Show config attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
    • enabled boolean Required
    • id string
    • streams array[object]
      Hide streams attributes Show streams attributes object
      • config object

        Package variable (see integration documentation for more information)

        Hide config attribute Show config attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • data_stream object Required

        Additional properties are NOT allowed.

        Hide data_stream attributes Show data_stream attributes object
      • enabled boolean Required
      • id string
      • release string

        Values are ga, beta, or experimental.

      • vars object

        Package variable (see integration documentation for more information)

        Hide vars attribute Show vars attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
    • type string Required
    • vars object

      Package variable (see integration documentation for more information)

      Hide vars attribute Show vars attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
  • is_managed boolean
  • name string
  • The package policy namespace. Leave blank to inherit the agent policy's namespace.

  • output_id string | null
  • overrides object | null

    Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

    Additional properties are NOT allowed.

    Hide overrides attribute Show overrides attribute object | null
    • inputs object

      Additional properties are allowed.

  • package object

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
  • policy_id string | null Deprecated

    Agent policy ID where that package policy will be added

  • policy_ids array[string]

    Agent policy IDs where that package policy will be added

  • supports_agentless boolean | null

    Indicates whether the package policy belongs to an agentless agent policy.

    Default value is false.

  • vars object

    Package variable (see integration documentation for more information)

    Hide vars attribute Show vars attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
  • version string

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 403 application/json
    Hide response attributes Show response attributes object
PUT /api/fleet/package_policies/{packagePolicyId}
curl \
 --request PUT https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","enabled":true,"force":true,"inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"version":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "enabled": true,
  "force": true,
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  },
  "version": "string"
}
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}














































Get a Fleet Server host

GET /api/fleet/fleet_server_hosts/{itemId}

Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Responses

GET /api/fleet/fleet_server_hosts/{itemId}
curl \
 --request GET https://localhost:5601/api/fleet/fleet_server_hosts/{itemId}
Response examples (200)
{
  "item": {
    "host_urls": [
      "string"
    ],
    "id": "string",
    "is_default": false,
    "is_internal": true,
    "is_preconfigured": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update a Fleet Server host

PUT /api/fleet/fleet_server_hosts/{itemId}

Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/fleet_server_hosts/{itemId}
curl \
 --request PUT https://localhost:5601/api/fleet/fleet_server_hosts/{itemId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host_urls":["string"],"is_default":true,"is_internal":true,"name":"string","proxy_id":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "host_urls": [
    "string"
  ],
  "is_default": true,
  "is_internal": true,
  "name": "string",
  "proxy_id": "string"
}
Response examples (200)
{
  "item": {
    "host_urls": [
      "string"
    ],
    "id": "string",
    "is_default": false,
    "is_internal": true,
    "is_preconfigured": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

































Get a role

GET /api/security/role/{name}

Path parameters

  • name string Required

    The role name.

    Minimum length is 1.

Query parameters

  • If true and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/security/role/{name}
curl \
 --request GET https://localhost:5601/api/security/role/{name}
Response examples (200)
{
  "name": "my_kibana_role",
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.",
  "elasticsearch": {
    "run_as": [],
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "index1",
          "index2"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": false
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "monitor_enrich"
        ]
      }
    ],
    "remote_indices": [
      {
        "names": [
          "remote_index1",
          "remote_index2"
        ],
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": false
      }
    ]
  },
  "_transform_error": [],
  "transient_metadata": {
    "enabled": true
  },
  "_unrecognized_applications": []
}























































































































































































Apply a bulk action to detection rules

POST /api/detection_engine/rules/_bulk_action

Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.

Query parameters

  • dry_run boolean

    Enables dry run mode for the request call.

application/json

Body object

One of:
  • action string Required

    Value is delete.

  • ids array[string]

    Array of rule IDs

    At least 1 element.

  • query string

    Query to filter rules

Responses

  • 200 application/json

    OK

    One of:
    Hide attributes Show attributes
    • attributes object Required

      Additional properties are allowed.

      Hide attributes attributes Show attributes attributes object
      • errors array[object]
        Hide errors attributes Show errors attributes object
        • err_code string

          Values are IMMUTABLE, PREBUILT_CUSTOMIZATION_LICENSE, MACHINE_LEARNING_AUTH, MACHINE_LEARNING_INDEX_PATTERN, ESQL_INDEX_PATTERN, MANUAL_RULE_RUN_FEATURE, or MANUAL_RULE_RUN_DISABLED_RULE.

        • message string Required
        • rules array[object] Required
          Hide rules attributes Show rules attributes object
        • status_code integer Required
      • results object Required

        Additional properties are allowed.

        Hide results attributes Show results attributes object
        • created array[object] Required
          Any of:
          Hide attributes Show attributes
          • actions array[object] Required
            Hide actions attributes Show actions attributes object
            • action_type_id string Required

              The action type used for sending notifications.

            • Additional properties are allowed.

            • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

              Additional properties are allowed.

              Hide frequency attributes Show frequency attributes object
              • notifyWhen string Required

                The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

                Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

              • summary boolean Required

                Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

              • throttle string | null Required

                Defines how often rule actions are taken.

                One of:

                Values are no_actions or rule.

            • group string

              Optionally groups actions by use cases. Use default for alert notifications.

            • id string Required

              The connector ID.

            • params object Required

              Object containing the allowed connector fields, which varies according to the connector type.

              Additional properties are allowed.

            • uuid string(nonempty)

              A string that does not contain only whitespace characters

              Minimum length is 1.

          • Values are savedObjectConversion or savedObjectImport.

          • author array[string] Required
          • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

          • description string Required

            Minimum length is 1.

          • enabled boolean Required

            Determines whether the rule is enabled.

          • exceptions_list array[object] Required
            Hide exceptions_list attributes Show exceptions_list attributes object
            • id string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • list_id string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • namespace_type string Required

              Determines the exceptions validity in rule's Kibana space

              Values are agnostic or single.

            • type string Required

              The exception type

              Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

          • false_positives array[string] Required
          • from string(date-math) Required

            Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

          • interval string Required

            Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

          • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

            const investigationFields = z.object({
              field_names: NonEmptyArray(NonEmptyString),
              override: z.boolean().optional(),
            });
            

            Additional properties are allowed.

            Hide investigation_fields attribute Show investigation_fields attribute object
            • field_names array[string(nonempty)] Required

              A string that does not contain only whitespace characters

              At least 1 element. Minimum length of each is 1.

          • license string

            The rule's license.

          • max_signals integer Required

            Minimum value is 1.

          • meta object

            Additional properties are allowed.

          • name string Required

            Minimum length is 1.

          • Has no effect.

          • note string

            Notes to help investigate alerts produced by the rule.

          • outcome string

            Values are exactMatch, aliasMatch, or conflict.

          • output_index string Deprecated

            (deprecated) Has no effect.

          • references array[string] Required
          • required_fields array[object] Required
            Hide required_fields attributes Show required_fields attributes object
            • ecs boolean Required

              Whether the field is an ECS field

            • name string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • type string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

          • response_actions array[object]
            One of:
            Hide attributes Show attributes
          • risk_score integer Required

            Risk score (0 to 100)

            Minimum value is 0, maximum value is 100.

          • risk_score_mapping array[object] Required

            Overrides generated alerts' risk_score with a value from the source event

            Hide risk_score_mapping attributes Show risk_score_mapping attributes object
          • Sets the source field for the alert's signal.rule.name value

          • setup string Required
          • severity string Required

            Severity of the rule

            Values are low, medium, high, or critical.

          • severity_mapping array[object] Required

            Overrides generated alerts' severity with values from the source event

            Hide severity_mapping attributes Show severity_mapping attributes object
            • field string Required
            • operator string Required

              Value is equals.

            • severity string Required

              Severity of the rule

              Values are low, medium, high, or critical.

            • value string Required
          • tags array[string] Required

            String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

          • threat array[object] Required
            Hide threat attributes Show threat attributes object
            • framework string Required

              Relevant attack framework

            • tactic object Required

              Additional properties are allowed.

              Hide tactic attributes Show tactic attributes object
              • id string Required

                Tactic ID

              • name string Required

                Tactic name

              • reference string Required

                Tactic reference

            • technique array[object]

              Array containing information on the attack techniques (optional)

              Hide technique attributes Show technique attributes object
              • id string Required

                Technique ID

              • name string Required

                Technique name

              • reference string Required

                Technique reference

              • subtechnique array[object]

                Array containing more specific information on the attack technique

                Hide subtechnique attributes Show subtechnique attributes object
                • id string Required

                  Subtechnique ID

                • name string Required

                  Subtechnique name

                • reference string Required

                  Subtechnique reference

          • throttle string | null

            Defines how often rule actions are taken.

            One of:

            Values are no_actions or rule.

          • Timeline template ID

          • Timeline template title

          • Sets the time field used to query indices

          • Disables the fallback to the event's @timestamp field

          • to string Required
          • version integer Required

            The rule's version number.

            Minimum value is 1.

          • created_at string(date-time) Required
          • created_by string Required
          • Additional properties are allowed.

            Hide execution_summary attribute Show execution_summary attribute object
            • last_execution object Required

              Additional properties are allowed.

              Hide last_execution attributes Show last_execution attributes object
              • date string(date-time) Required

                Date of the last execution

              • message string Required
              • metrics object Required

                Additional properties are allowed.

                Hide metrics attributes Show metrics attributes object
                • Duration in seconds of execution gap

                  Minimum value is 0.

                • Range of the execution gap

                  Additional properties are allowed.

                  Hide gap_range attributes Show gap_range attributes object
                  • gte string Required

                    Start date of the execution gap

                  • lte string Required

                    End date of the execution gap

                • Total time spent enriching documents during current rule execution cycle

                  Minimum value is 0.

                • Total time spent indexing documents during current rule execution cycle

                  Minimum value is 0.

                • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

                  Minimum value is 0.

              • status string Required

                Status of the last execution

                Values are going to run, running, partial failure, failed, or succeeded.

              • status_order integer Required
          • id string(uuid) Required

            A universally unique identifier

          • immutable boolean Required Deprecated

            This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

          • revision integer Required

            Minimum value is 0.

          • rule_id string Required

            Could be any string, not necessarily a UUID

          • rule_source object Required

            Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

            One of:

            Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

            Hide attributes Show attributes
            • is_customized boolean Required

              Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

            • type string Required Discriminator

              Value is external.

          • updated_at string(date-time) Required
          • updated_by string Required
          • language string Required

            Query language to use

            Value is eql.

          • query string Required

            EQL query to execute

          • type string Required Discriminator

            Rule type

            Value is eql.

          • Additional properties are allowed.

            Hide alert_suppression attributes Show alert_suppression attributes object
            • duration object

              Additional properties are allowed.

              Hide duration attributes Show duration attributes object
              • unit string Required

                Values are s, m, or h.

              • value integer Required

                Minimum value is 1.

            • group_by array[string] Required

              At least 1 but not more than 3 elements.

            • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

              Values are doNotSuppress or suppress.

          • filters array
          • index array[string]
          • Sets a secondary field for sorting events

          • Contains the event timestamp used for sorting a sequence of events

        • deleted array[object] Required
          Any of:
          Hide attributes Show attributes
          • actions array[object] Required
            Hide actions attributes Show actions attributes object
            • action_type_id string Required

              The action type used for sending notifications.

            • Additional properties are allowed.

            • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

              Additional properties are allowed.

              Hide frequency attributes Show frequency attributes object
              • notifyWhen string Required

                The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

                Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

              • summary boolean Required

                Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

              • throttle string | null Required

                Defines how often rule actions are taken.

                One of:

                Values are no_actions or rule.

            • group string

              Optionally groups actions by use cases. Use default for alert notifications.

            • id string Required

              The connector ID.

            • params object Required

              Object containing the allowed connector fields, which varies according to the connector type.

              Additional properties are allowed.

            • uuid string(nonempty)

              A string that does not contain only whitespace characters

              Minimum length is 1.

          • Values are savedObjectConversion or savedObjectImport.

          • author array[string] Required
          • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

          • description string Required

            Minimum length is 1.

          • enabled boolean Required

            Determines whether the rule is enabled.

          • exceptions_list array[object] Required
            Hide exceptions_list attributes Show exceptions_list attributes object
            • id string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • list_id string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • namespace_type string Required

              Determines the exceptions validity in rule's Kibana space

              Values are agnostic or single.

            • type string Required

              The exception type

              Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

          • false_positives array[string] Required
          • from string(date-math) Required

            Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

          • interval string Required

            Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

          • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

            const investigationFields = z.object({
              field_names: NonEmptyArray(NonEmptyString),
              override: z.boolean().optional(),
            });
            

            Additional properties are allowed.

            Hide investigation_fields attribute Show investigation_fields attribute object
            • field_names array[string(nonempty)] Required

              A string that does not contain only whitespace characters

              At least 1 element. Minimum length of each is 1.

          • license string

            The rule's license.

          • max_signals integer Required

            Minimum value is 1.

          • meta object

            Additional properties are allowed.

          • name string Required

            Minimum length is 1.

          • Has no effect.

          • note string

            Notes to help investigate alerts produced by the rule.

          • outcome string

            Values are exactMatch, aliasMatch, or conflict.

          • output_index string Deprecated

            (deprecated) Has no effect.

          • references array[string] Required
          • required_fields array[object] Required
            Hide required_fields attributes Show required_fields attributes object
            • ecs boolean Required

              Whether the field is an ECS field

            • name string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • type string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

          • response_actions array[object]
            One of:
            Hide attributes Show attributes
          • risk_score integer Required

            Risk score (0 to 100)

            Minimum value is 0, maximum value is 100.

          • risk_score_mapping array[object] Required

            Overrides generated alerts' risk_score with a value from the source event

            Hide risk_score_mapping attributes Show risk_score_mapping attributes object
          • Sets the source field for the alert's signal.rule.name value

          • setup string Required
          • severity string Required

            Severity of the rule

            Values are low, medium, high, or critical.

          • severity_mapping array[object] Required

            Overrides generated alerts' severity with values from the source event

            Hide severity_mapping attributes Show severity_mapping attributes object
            • field string Required
            • operator string Required

              Value is equals.

            • severity string Required

              Severity of the rule

              Values are low, medium, high, or critical.

            • value string Required
          • tags array[string] Required

            String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

          • threat array[object] Required
            Hide threat attributes Show threat attributes object
            • framework string Required

              Relevant attack framework

            • tactic object Required

              Additional properties are allowed.

              Hide tactic attributes Show tactic attributes object
              • id string Required

                Tactic ID

              • name string Required

                Tactic name

              • reference string Required

                Tactic reference

            • technique array[object]

              Array containing information on the attack techniques (optional)

              Hide technique attributes Show technique attributes object
              • id string Required

                Technique ID

              • name string Required

                Technique name

              • reference string Required

                Technique reference

              • subtechnique array[object]

                Array containing more specific information on the attack technique

                Hide subtechnique attributes Show subtechnique attributes object
                • id string Required

                  Subtechnique ID

                • name string Required

                  Subtechnique name

                • reference string Required

                  Subtechnique reference

          • throttle string | null

            Defines how often rule actions are taken.

            One of:

            Values are no_actions or rule.

          • Timeline template ID

          • Timeline template title

          • Sets the time field used to query indices

          • Disables the fallback to the event's @timestamp field

          • to string Required
          • version integer Required

            The rule's version number.

            Minimum value is 1.

          • created_at string(date-time) Required
          • created_by string Required
          • Additional properties are allowed.

            Hide execution_summary attribute Show execution_summary attribute object
            • last_execution object Required

              Additional properties are allowed.

              Hide last_execution attributes Show last_execution attributes object
              • date string(date-time) Required

                Date of the last execution

              • message string Required
              • metrics object Required

                Additional properties are allowed.

                Hide metrics attributes Show metrics attributes object
                • Duration in seconds of execution gap

                  Minimum value is 0.

                • Range of the execution gap

                  Additional properties are allowed.

                  Hide gap_range attributes Show gap_range attributes object
                  • gte string Required

                    Start date of the execution gap

                  • lte string Required

                    End date of the execution gap

                • Total time spent enriching documents during current rule execution cycle

                  Minimum value is 0.

                • Total time spent indexing documents during current rule execution cycle

                  Minimum value is 0.

                • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

                  Minimum value is 0.

              • status string Required

                Status of the last execution

                Values are going to run, running, partial failure, failed, or succeeded.

              • status_order integer Required
          • id string(uuid) Required

            A universally unique identifier

          • immutable boolean Required Deprecated

            This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

          • revision integer Required

            Minimum value is 0.

          • rule_id string Required

            Could be any string, not necessarily a UUID

          • rule_source object Required

            Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

            One of:

            Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

            Hide attributes Show attributes
            • is_customized boolean Required

              Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

            • type string Required Discriminator

              Value is external.

          • updated_at string(date-time) Required
          • updated_by string Required
          • language string Required

            Query language to use

            Value is eql.

          • query string Required

            EQL query to execute

          • type string Required Discriminator

            Rule type

            Value is eql.

          • Additional properties are allowed.

            Hide alert_suppression attributes Show alert_suppression attributes object
            • duration object

              Additional properties are allowed.

              Hide duration attributes Show duration attributes object
              • unit string Required

                Values are s, m, or h.

              • value integer Required

                Minimum value is 1.

            • group_by array[string] Required

              At least 1 but not more than 3 elements.

            • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

              Values are doNotSuppress or suppress.

          • filters array
          • index array[string]
          • Sets a secondary field for sorting events

          • Contains the event timestamp used for sorting a sequence of events

        • skipped array[object] Required
          Hide skipped attributes Show skipped attributes object
        • updated array[object] Required
          Any of:
          Hide attributes Show attributes
          • actions array[object] Required
            Hide actions attributes Show actions attributes object
            • action_type_id string Required

              The action type used for sending notifications.

            • Additional properties are allowed.

            • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

              Additional properties are allowed.

              Hide frequency attributes Show frequency attributes object
              • notifyWhen string Required

                The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

                Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

              • summary boolean Required

                Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

              • throttle string | null Required

                Defines how often rule actions are taken.

                One of:

                Values are no_actions or rule.

            • group string

              Optionally groups actions by use cases. Use default for alert notifications.

            • id string Required

              The connector ID.

            • params object Required

              Object containing the allowed connector fields, which varies according to the connector type.

              Additional properties are allowed.

            • uuid string(nonempty)

              A string that does not contain only whitespace characters

              Minimum length is 1.

          • Values are savedObjectConversion or savedObjectImport.

          • author array[string] Required
          • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

          • description string Required

            Minimum length is 1.

          • enabled boolean Required

            Determines whether the rule is enabled.

          • exceptions_list array[object] Required
            Hide exceptions_list attributes Show exceptions_list attributes object
            • id string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • list_id string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • namespace_type string Required

              Determines the exceptions validity in rule's Kibana space

              Values are agnostic or single.

            • type string Required

              The exception type

              Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

          • false_positives array[string] Required
          • from string(date-math) Required

            Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

          • interval string Required

            Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

          • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

            const investigationFields = z.object({
              field_names: NonEmptyArray(NonEmptyString),
              override: z.boolean().optional(),
            });
            

            Additional properties are allowed.

            Hide investigation_fields attribute Show investigation_fields attribute object
            • field_names array[string(nonempty)] Required

              A string that does not contain only whitespace characters

              At least 1 element. Minimum length of each is 1.

          • license string

            The rule's license.

          • max_signals integer Required

            Minimum value is 1.

          • meta object

            Additional properties are allowed.

          • name string Required

            Minimum length is 1.

          • Has no effect.

          • note string

            Notes to help investigate alerts produced by the rule.

          • outcome string

            Values are exactMatch, aliasMatch, or conflict.

          • output_index string Deprecated

            (deprecated) Has no effect.

          • references array[string] Required
          • required_fields array[object] Required
            Hide required_fields attributes Show required_fields attributes object
            • ecs boolean Required

              Whether the field is an ECS field

            • name string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

            • type string(nonempty) Required

              A string that does not contain only whitespace characters

              Minimum length is 1.

          • response_actions array[object]
            One of:
            Hide attributes Show attributes
          • risk_score integer Required

            Risk score (0 to 100)

            Minimum value is 0, maximum value is 100.

          • risk_score_mapping array[object] Required

            Overrides generated alerts' risk_score with a value from the source event

            Hide risk_score_mapping attributes Show risk_score_mapping attributes object
          • Sets the source field for the alert's signal.rule.name value

          • setup string Required
          • severity string Required

            Severity of the rule

            Values are low, medium, high, or critical.

          • severity_mapping array[object] Required

            Overrides generated alerts' severity with values from the source event

            Hide severity_mapping attributes Show severity_mapping attributes object
            • field string Required
            • operator string Required

              Value is equals.

            • severity string Required

              Severity of the rule

              Values are low, medium, high, or critical.

            • value string Required
          • tags array[string] Required

            String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

          • threat array[object] Required
            Hide threat attributes Show threat attributes object
            • framework string Required

              Relevant attack framework

            • tactic object Required

              Additional properties are allowed.

              Hide tactic attributes Show tactic attributes object
              • id string Required

                Tactic ID

              • name string Required

                Tactic name

              • reference string Required

                Tactic reference

            • technique array[object]

              Array containing information on the attack techniques (optional)

              Hide technique attributes Show technique attributes object
              • id string Required

                Technique ID

              • name string Required

                Technique name

              • reference string Required

                Technique reference

              • subtechnique array[object]

                Array containing more specific information on the attack technique

                Hide subtechnique attributes Show subtechnique attributes object
                • id string Required

                  Subtechnique ID

                • name string Required

                  Subtechnique name

                • reference string Required

                  Subtechnique reference

          • throttle string | null

            Defines how often rule actions are taken.

            One of:

            Values are no_actions or rule.

          • Timeline template ID

          • Timeline template title

          • Sets the time field used to query indices

          • Disables the fallback to the event's @timestamp field

          • to string Required
          • version integer Required

            The rule's version number.

            Minimum value is 1.

          • created_at string(date-time) Required
          • created_by string Required
          • Additional properties are allowed.

            Hide execution_summary attribute Show execution_summary attribute object
            • last_execution object Required

              Additional properties are allowed.

              Hide last_execution attributes Show last_execution attributes object
              • date string(date-time) Required

                Date of the last execution

              • message string Required
              • metrics object Required

                Additional properties are allowed.

                Hide metrics attributes Show metrics attributes object
                • Duration in seconds of execution gap

                  Minimum value is 0.

                • Range of the execution gap

                  Additional properties are allowed.

                  Hide gap_range attributes Show gap_range attributes object
                  • gte string Required

                    Start date of the execution gap

                  • lte string Required

                    End date of the execution gap

                • Total time spent enriching documents during current rule execution cycle

                  Minimum value is 0.

                • Total time spent indexing documents during current rule execution cycle

                  Minimum value is 0.

                • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

                  Minimum value is 0.

              • status string Required

                Status of the last execution

                Values are going to run, running, partial failure, failed, or succeeded.

              • status_order integer Required
          • id string(uuid) Required

            A universally unique identifier

          • immutable boolean Required Deprecated

            This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

          • revision integer Required

            Minimum value is 0.

          • rule_id string Required

            Could be any string, not necessarily a UUID

          • rule_source object Required

            Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

            One of:

            Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

            Hide attributes Show attributes
            • is_customized boolean Required

              Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

            • type string Required Discriminator

              Value is external.

          • updated_at string(date-time) Required
          • updated_by string Required
          • language string Required

            Query language to use

            Value is eql.

          • query string Required

            EQL query to execute

          • type string Required Discriminator

            Rule type

            Value is eql.

          • Additional properties are allowed.

            Hide alert_suppression attributes Show alert_suppression attributes object
            • duration object

              Additional properties are allowed.

              Hide duration attributes Show duration attributes object
              • unit string Required

                Values are s, m, or h.

              • value integer Required

                Minimum value is 1.

            • group_by array[string] Required

              At least 1 but not more than 3 elements.

            • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

              Values are doNotSuppress or suppress.

          • filters array
          • index array[string]
          • Sets a secondary field for sorting events

          • Contains the event timestamp used for sorting a sequence of events

      • summary object Required

        Additional properties are allowed.

        Hide summary attributes Show summary attributes object
    • message string
    • success boolean
POST /api/detection_engine/rules/_bulk_action
curl \
 --request POST https://localhost:5601/api/detection_engine/rules/_bulk_action \
 --header "Content-Type: application/json" \
 --data '{"action":"delete","ids":["string"],"query":"string"}'
{
  "action": "delete",
  "ids": [
    "string"
  ],
  "query": "string"
}
{
  "action": "disable",
  "ids": [
    "string"
  ],
  "query": "string"
}
{
  "action": "enable",
  "ids": [
    "string"
  ],
  "query": "string"
}
{
  "action": "export",
  "ids": [
    "string"
  ],
  "query": "string"
}
{
  "action": "duplicate",
  "duplicate": {
    "include_exceptions": true,
    "include_expired_exceptions": true
  },
  "ids": [
    "string"
  ],
  "query": "string"
}
{
  "action": "run",
  "ids": [
    "string"
  ],
  "query": "string",
  "run": {
    "end_date": "string",
    "start_date": "string"
  }
}
{
  "action": "edit",
  "edit": [
    {
      "type": "add_tags",
      "value": [
        "string"
      ]
    }
  ],
  "ids": [
    "string"
  ],
  "query": "string"
}
Response examples (200)
{
  "attributes": {
    "errors": [
      {
        "err_code": "IMMUTABLE",
        "message": "string",
        "rules": [
          {
            "id": "string",
            "name": "string"
          }
        ],
        "status_code": 42
      }
    ],
    "results": {
      "created": [
        {
          "actions": [
            {
              "action_type_id": "string",
              "alerts_filter": {},
              "frequency": {
                "notifyWhen": "onActiveAlert",
                "summary": true,
                "throttle": "no_actions"
              },
              "group": "string",
              "id": "string",
              "params": {},
              "uuid": "string"
            }
          ],
          "alias_purpose": "savedObjectConversion",
          "alias_target_id": "string",
          "author": [
            "string"
          ],
          "building_block_type": "string",
          "description": "string",
          "enabled": true,
          "exceptions_list": [
            {
              "id": "string",
              "list_id": "string",
              "namespace_type": "agnostic",
              "type": "detection"
            }
          ],
          "false_positives": [
            "string"
          ],
          "from": "string",
          "interval": "string",
          "investigation_fields": {
            "field_names": [
              "string"
            ]
          },
          "license": "string",
          "max_signals": 42,
          "meta": {},
          "name": "string",
          "namespace": "string",
          "note": "string",
          "outcome": "exactMatch",
          "output_index": "string",
          "references": [
            "string"
          ],
          "related_integrations": [
            {
              "integration": "string",
              "package": "string",
              "version": "string"
            }
          ],
          "required_fields": [
            {
              "ecs": true,
              "name": "string",
              "type": "string"
            }
          ],
          "response_actions": [
            {
              "action_type_id": ".osquery",
              "params": {
                "ecs_mapping": {
                  "additionalProperty1": {
                    "field": "string",
                    "value": "string"
                  },
                  "additionalProperty2": {
                    "field": "string",
                    "value": "string"
                  }
                },
                "pack_id": "string",
                "queries": [
                  {
                    "ecs_mapping": {
                      "additionalProperty1": {
                        "field": "string",
                        "value": "string"
                      },
                      "additionalProperty2": {
                        "field": "string",
                        "value": "string"
                      }
                    },
                    "id": "string",
                    "platform": "string",
                    "query": "string",
                    "removed": true,
                    "snapshot": true,
                    "version": "string"
                  }
                ],
                "query": "string",
                "saved_query_id": "string",
                "timeout": 42.0
              }
            }
          ],
          "risk_score": 42,
          "risk_score_mapping": [
            {
              "field": "string",
              "operator": "equals",
              "risk_score": 42,
              "value": "string"
            }
          ],
          "rule_name_override": "string",
          "setup": "string",
          "severity": "low",
          "severity_mapping": [
            {
              "field": "string",
              "operator": "equals",
              "severity": "low",
              "value": "string"
            }
          ],
          "tags": [
            "string"
          ],
          "threat": [
            {
              "framework": "string",
              "tactic": {
                "id": "string",
                "name": "string",
                "reference": "string"
              },
              "technique": [
                {
                  "id": "string",
                  "name": "string",
                  "reference": "string",
                  "subtechnique": [
                    {
                      "id": "string",
                      "name": "string",
                      "reference": "string"
                    }
                  ]
                }
              ]
            }
          ],
          "throttle": "no_actions",
          "timeline_id": "string",
          "timeline_title": "string",
          "timestamp_override": "string",
          "timestamp_override_fallback_disabled": true,
          "to": "string",
          "version": 42,
          "created_at": "2025-05-04T09:42:00+00:00",
          "created_by": "string",
          "execution_summary": {
            "last_execution": {
              "date": "2025-05-04T09:42:00+00:00",
              "message": "string",
              "metrics": {
                "execution_gap_duration_s": 42,
                "gap_range": {
                  "gte": "string",
                  "lte": "string"
                },
                "total_enrichment_duration_ms": 42,
                "total_indexing_duration_ms": 42,
                "total_search_duration_ms": 42
              },
              "status": "going to run",
              "status_order": 42
            }
          },
          "id": "string",
          "immutable": true,
          "revision": 42,
          "rule_id": "string",
          "rule_source": {
            "is_customized": true,
            "type": "external"
          },
          "updated_at": "2025-05-04T09:42:00+00:00",
          "updated_by": "string",
          "language": "eql",
          "query": "string",
          "type": "eql",
          "alert_suppression": {
            "duration": {
              "unit": "s",
              "value": 42
            },
            "group_by": [
              "string"
            ],
            "missing_fields_strategy": "doNotSuppress"
          },
          "data_view_id": "string",
          "event_category_override": "string",
          "filters": [],
          "index": [
            "string"
          ],
          "tiebreaker_field": "string",
          "timestamp_field": "string"
        }
      ],
      "deleted": [
        {
          "actions": [
            {
              "action_type_id": "string",
              "alerts_filter": {},
              "frequency": {
                "notifyWhen": "onActiveAlert",
                "summary": true,
                "throttle": "no_actions"
              },
              "group": "string",
              "id": "string",
              "params": {},
              "uuid": "string"
            }
          ],
          "alias_purpose": "savedObjectConversion",
          "alias_target_id": "string",
          "author": [
            "string"
          ],
          "building_block_type": "string",
          "description": "string",
          "enabled": true,
          "exceptions_list": [
            {
              "id": "string",
              "list_id": "string",
              "namespace_type": "agnostic",
              "type": "detection"
            }
          ],
          "false_positives": [
            "string"
          ],
          "from": "string",
          "interval": "string",
          "investigation_fields": {
            "field_names": [
              "string"
            ]
          },
          "license": "string",
          "max_signals": 42,
          "meta": {},
          "name": "string",
          "namespace": "string",
          "note": "string",
          "outcome": "exactMatch",
          "output_index": "string",
          "references": [
            "string"
          ],
          "related_integrations": [
            {
              "integration": "string",
              "package": "string",
              "version": "string"
            }
          ],
          "required_fields": [
            {
              "ecs": true,
              "name": "string",
              "type": "string"
            }
          ],
          "response_actions": [
            {
              "action_type_id": ".osquery",
              "params": {
                "ecs_mapping": {
                  "additionalProperty1": {
                    "field": "string",
                    "value": "string"
                  },
                  "additionalProperty2": {
                    "field": "string",
                    "value": "string"
                  }
                },
                "pack_id": "string",
                "queries": [
                  {
                    "ecs_mapping": {
                      "additionalProperty1": {
                        "field": "string",
                        "value": "string"
                      },
                      "additionalProperty2": {
                        "field": "string",
                        "value": "string"
                      }
                    },
                    "id": "string",
                    "platform": "string",
                    "query": "string",
                    "removed": true,
                    "snapshot": true,
                    "version": "string"
                  }
                ],
                "query": "string",
                "saved_query_id": "string",
                "timeout": 42.0
              }
            }
          ],
          "risk_score": 42,
          "risk_score_mapping": [
            {
              "field": "string",
              "operator": "equals",
              "risk_score": 42,
              "value": "string"
            }
          ],
          "rule_name_override": "string",
          "setup": "string",
          "severity": "low",
          "severity_mapping": [
            {
              "field": "string",
              "operator": "equals",
              "severity": "low",
              "value": "string"
            }
          ],
          "tags": [
            "string"
          ],
          "threat": [
            {
              "framework": "string",
              "tactic": {
                "id": "string",
                "name": "string",
                "reference": "string"
              },
              "technique": [
                {
                  "id": "string",
                  "name": "string",
                  "reference": "string",
                  "subtechnique": [
                    {
                      "id": "string",
                      "name": "string",
                      "reference": "string"
                    }
                  ]
                }
              ]
            }
          ],
          "throttle": "no_actions",
          "timeline_id": "string",
          "timeline_title": "string",
          "timestamp_override": "string",
          "timestamp_override_fallback_disabled": true,
          "to": "string",
          "version": 42,
          "created_at": "2025-05-04T09:42:00+00:00",
          "created_by": "string",
          "execution_summary": {
            "last_execution": {
              "date": "2025-05-04T09:42:00+00:00",
              "message": "string",
              "metrics": {
                "execution_gap_duration_s": 42,
                "gap_range": {
                  "gte": "string",
                  "lte": "string"
                },
                "total_enrichment_duration_ms": 42,
                "total_indexing_duration_ms": 42,
                "total_search_duration_ms": 42
              },
              "status": "going to run",
              "status_order": 42
            }
          },
          "id": "string",
          "immutable": true,
          "revision": 42,
          "rule_id": "string",
          "rule_source": {
            "is_customized": true,
            "type": "external"
          },
          "updated_at": "2025-05-04T09:42:00+00:00",
          "updated_by": "string",
          "language": "eql",
          "query": "string",
          "type": "eql",
          "alert_suppression": {
            "duration": {
              "unit": "s",
              "value": 42
            },
            "group_by": [
              "string"
            ],
            "missing_fields_strategy": "doNotSuppress"
          },
          "data_view_id": "string",
          "event_category_override": "string",
          "filters": [],
          "index": [
            "string"
          ],
          "tiebreaker_field": "string",
          "timestamp_field": "string"
        }
      ],
      "skipped": [
        {
          "id": "string",
          "name": "string",
          "skip_reason": "RULE_NOT_MODIFIED"
        }
      ],
      "updated": [
        {
          "actions": [
            {
              "action_type_id": "string",
              "alerts_filter": {},
              "frequency": {
                "notifyWhen": "onActiveAlert",
                "summary": true,
                "throttle": "no_actions"
              },
              "group": "string",
              "id": "string",
              "params": {},
              "uuid": "string"
            }
          ],
          "alias_purpose": "savedObjectConversion",
          "alias_target_id": "string",
          "author": [
            "string"
          ],
          "building_block_type": "string",
          "description": "string",
          "enabled": true,
          "exceptions_list": [
            {
              "id": "string",
              "list_id": "string",
              "namespace_type": "agnostic",
              "type": "detection"
            }
          ],
          "false_positives": [
            "string"
          ],
          "from": "string",
          "interval": "string",
          "investigation_fields": {
            "field_names": [
              "string"
            ]
          },
          "license": "string",
          "max_signals": 42,
          "meta": {},
          "name": "string",
          "namespace": "string",
          "note": "string",
          "outcome": "exactMatch",
          "output_index": "string",
          "references": [
            "string"
          ],
          "related_integrations": [
            {
              "integration": "string",
              "package": "string",
              "version": "string"
            }
          ],
          "required_fields": [
            {
              "ecs": true,
              "name": "string",
              "type": "string"
            }
          ],
          "response_actions": [
            {
              "action_type_id": ".osquery",
              "params": {
                "ecs_mapping": {
                  "additionalProperty1": {
                    "field": "string",
                    "value": "string"
                  },
                  "additionalProperty2": {
                    "field": "string",
                    "value": "string"
                  }
                },
                "pack_id": "string",
                "queries": [
                  {
                    "ecs_mapping": {
                      "additionalProperty1": {
                        "field": "string",
                        "value": "string"
                      },
                      "additionalProperty2": {
                        "field": "string",
                        "value": "string"
                      }
                    },
                    "id": "string",
                    "platform": "string",
                    "query": "string",
                    "removed": true,
                    "snapshot": true,
                    "version": "string"
                  }
                ],
                "query": "string",
                "saved_query_id": "string",
                "timeout": 42.0
              }
            }
          ],
          "risk_score": 42,
          "risk_score_mapping": [
            {
              "field": "string",
              "operator": "equals",
              "risk_score": 42,
              "value": "string"
            }
          ],
          "rule_name_override": "string",
          "setup": "string",
          "severity": "low",
          "severity_mapping": [
            {
              "field": "string",
              "operator": "equals",
              "severity": "low",
              "value": "string"
            }
          ],
          "tags": [
            "string"
          ],
          "threat": [
            {
              "framework": "string",
              "tactic": {
                "id": "string",
                "name": "string",
                "reference": "string"
              },
              "technique": [
                {
                  "id": "string",
                  "name": "string",
                  "reference": "string",
                  "subtechnique": [
                    {
                      "id": "string",
                      "name": "string",
                      "reference": "string"
                    }
                  ]
                }
              ]
            }
          ],
          "throttle": "no_actions",
          "timeline_id": "string",
          "timeline_title": "string",
          "timestamp_override": "string",
          "timestamp_override_fallback_disabled": true,
          "to": "string",
          "version": 42,
          "created_at": "2025-05-04T09:42:00+00:00",
          "created_by": "string",
          "execution_summary": {
            "last_execution": {
              "date": "2025-05-04T09:42:00+00:00",
              "message": "string",
              "metrics": {
                "execution_gap_duration_s": 42,
                "gap_range": {
                  "gte": "string",
                  "lte": "string"
                },
                "total_enrichment_duration_ms": 42,
                "total_indexing_duration_ms": 42,
                "total_search_duration_ms": 42
              },
              "status": "going to run",
              "status_order": 42
            }
          },
          "id": "string",
          "immutable": true,
          "revision": 42,
          "rule_id": "string",
          "rule_source": {
            "is_customized": true,
            "type": "external"
          },
          "updated_at": "2025-05-04T09:42:00+00:00",
          "updated_by": "string",
          "language": "eql",
          "query": "string",
          "type": "eql",
          "alert_suppression": {
            "duration": {
              "unit": "s",
              "value": 42
            },
            "group_by": [
              "string"
            ],
            "missing_fields_strategy": "doNotSuppress"
          },
          "data_view_id": "string",
          "event_category_override": "string",
          "filters": [],
          "index": [
            "string"
          ],
          "tiebreaker_field": "string",
          "timestamp_field": "string"
        }
      ]
    },
    "summary": {
      "failed": 42,
      "skipped": 42,
      "succeeded": 42,
      "total": 42
    }
  },
  "message": "string",
  "rules_count": 42,
  "status_code": 42,
  "success": true
}
string