Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Kibana APIs
1.0.2
Base URL
https://localhost:5601
https://localhost:5601The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- PATCH: Applies partial modifications to the existing information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with kbn: and run the request in Dev Tools → Console.
For example:
GET kbn:/api/data_views
For more information about the console, refer to Run API requests.
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
Documentation source and versions
This documentation is derived from the main branch of the kibana repository.
It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This documentation contains work-in-progress information for future Elastic Stack releases.
This is version 1.0.2 of this API documentation.
Last update on Apr 4, 2025.
Servers
| Base URL | Description |
|---|---|
| https://localhost:5601 | |
| https://localhost:5601 |
Authentication
The API accepts 2 different authentication methods:
Basic auth (http)
Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a : colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
Kibana spaces
Spaces enable you to organize your dashboards and other saved objects into meaningful categories. You can use the default space or create your own spaces.
To run APIs in non-default spaces, you must add s/{space_id}/ to the path.
For example:
curl -X GET "http://localhost:5601/s/marketing/api/data_views"
If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier.
To learn more, check out Spaces.
Path parameters
-
id
string Required The identifier for the rule.
GET
/api/alerting/rule/{id}
curl \
--request GET 'https://localhost:5601/api/alerting/rule/{id}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"actions": [
{
"alerts_filter": {
"query": {
"dsl": "string",
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {},
"query": {}
}
],
"kql": "string"
},
"timeframe": {
"days": [
1
],
"hours": {
"end": "string",
"start": "string"
},
"timezone": "string"
}
},
"connector_type_id": "string",
"frequency": {
"notify_when": "onActionGroupChange",
"summary": true,
"throttle": "string"
},
"group": "string",
"id": "string",
"params": {},
"use_alert_data_for_template": true,
"uuid": "string"
}
],
"active_snoozes": [
"string"
],
"alert_delay": {
"active": 42.0
},
"api_key_created_by_user": true,
"api_key_owner": "string",
"consumer": "string",
"created_at": "string",
"created_by": "string",
"enabled": true,
"execution_status": {
"error": {
"message": "string",
"reason": "read"
},
"last_duration": 42.0,
"last_execution_date": "string",
"status": "ok",
"warning": {
"message": "string",
"reason": "maxExecutableActions"
}
},
"flapping": {
"look_back_window": 42.0,
"status_change_threshold": 42.0
},
"id": "string",
"is_snoozed_until": "string",
"last_run": {
"alerts_count": {
"active": 42.0,
"ignored": 42.0,
"new": 42.0,
"recovered": 42.0
},
"outcome": "succeeded",
"outcome_msg": [
"string"
],
"outcome_order": 42.0,
"warning": "read"
},
"mapped_params": {},
"monitoring": {
"run": {
"calculated_metrics": {
"p50": 42.0,
"p95": 42.0,
"p99": 42.0,
"success_ratio": 42.0
},
"history": [
{
"duration": 42.0,
"outcome": "succeeded",
"success": true,
"timestamp": 42.0
}
],
"last_run": {
"metrics": {
"duration": 42.0,
"gap_duration_s": 42.0,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_alerts_created": 42.0,
"total_alerts_detected": 42.0,
"total_indexing_duration_ms": 42.0,
"total_search_duration_ms": 42.0
},
"timestamp": "string"
}
}
},
"mute_all": true,
"muted_alert_ids": [
"string"
],
"name": "string",
"next_run": "string",
"notify_when": "onActionGroupChange",
"params": {},
"revision": 42.0,
"rule_type_id": "string",
"running": true,
"schedule": {
"interval": "string"
},
"scheduled_task_id": "string",
"snooze_schedule": [
{
"duration": 42.0,
"id": "string",
"rRule": {
"byhour": [
42.0
],
"byminute": [
42.0
],
"bymonth": [
42.0
],
"bymonthday": [
42.0
],
"bysecond": [
42.0
],
"bysetpos": [
42.0
],
"byweekday": [
"string"
],
"byweekno": [
42.0
],
"byyearday": [
42.0
],
"count": 42.0,
"dtstart": "string",
"freq": 0,
"interval": 42.0,
"tzid": "string",
"until": "string",
"wkst": "MO"
},
"skipRecurrences": [
"string"
]
}
],
"tags": [
"string"
],
"throttle": "string",
"updated_at": "string",
"updated_by": "string",
"view_in_app_relative_url": "string"
}Path parameters
-
id
string Required The identifier for the rule.
Body
-
actions
array[object] An action that runs under defined conditions.
Default value is
[](empty). -
alert_delay
object Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Additional properties are NOT allowed.
-
flapping
object | null When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
Additional properties are NOT allowed.
-
name
string Required The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when
string | null Indicates how often alerts generate actions. Valid values include:
onActionGroupChange: Actions run when the alert status changes;onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_whenat both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange,onActiveAlert, oronThrottleInterval. -
params
object The parameters for the rule.
Default value is
{}(empty). Additional properties are allowed. -
schedule
object Required Additional properties are NOT allowed.
-
throttle
string | null Use the
throttleproperty in the actionfrequencyobject instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
PUT
/api/alerting/rule/{id}
curl \
--request PUT 'https://localhost:5601/api/alerting/rule/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"new name","tags":[],"params":{"index":[".updated-index"],"aggType":"avg","groupBy":"top","aggField":"sheet.version","termSize":6,"termField":"name.keyword","threshold":[1000],"timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m","thresholdComparator":"\u003e"},"actions":[{"id":"96b668d0-a1b6-11ed-afdf-d39a49596974","group":"threshold met","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"frequency":{"summary":false,"notify_when":"onActionGroupChange"}}],"schedule":{"interval":"1m"}}'
Request example
Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.
{
"name": "new name",
"tags": [],
"params": {
"index": [
".updated-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"schedule": {
"interval": "1m"
}
}
Response examples (200)
The response for successfully updating an index threshold rule.
{
"id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
"name": "new name",
"tags": [],
"params": {
"index": [
".updated-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2024-03-26T23:23:51.316Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2024-03-26T23:13:20.985Z",
"created_by": "elastic",
"updated_at": "2024-03-26T23:22:59.949Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 52,
"last_execution_date": "2024-03-26T23:22:51.390Z"
},
"scheduled_task_id": "4c5eda00-e74f-11ec-b72f-5b18752ff9ea",
"api_key_created_by_user": false
}Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_mute_all
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{id}/_mute_all' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_unmute_all
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{id}/_unmute_all' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_update_api_key
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{id}/_update_api_key' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
POST
/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
POST
/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
curl \
--request POST 'https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Delete a snooze schedule for a rule
Path parameters
-
ruleId
string Required The identifier for the rule.
-
scheduleId
string Required The identifier for the snooze schedule.
DELETE
/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
curl \
--request DELETE 'https://localhost:5601/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Query parameters
-
per_page
number The number of rules to return per page.
Minimum value is
0. Default value is10. -
page
number The page number to return.
Minimum value is
1. Default value is1. -
search
string An Elasticsearch simple_query_string query that filters the objects in the response.
-
default_search_operator
string The default operator to use for the simple_query_string.
Values are
ORorAND. Default value isOR. -
search_fields
array[string] | string The fields to perform the simple_query_string parsed query against.
-
sort_field
string Determines which field is used to sort the results. The field must exist in the
attributeskey of the response. -
sort_order
string Determines the sort order.
Values are
ascordesc. -
has_reference
object | null Filters the rules that have a relation with the reference objects with a specific type and identifier.
Additional properties are NOT allowed.
-
fields
array[string] The fields to return in the
attributeskey of the response. -
filter
string A KQL string that you filter with an attribute from your saved object. It should look like
savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such asupdatedAt, you must define your filter, for example,savedObjectType.updatedAt > 2018-12-22. -
filter_consumers
array[string] List of consumers to filter.
GET
/api/alerting/rules/_find
curl \
--request GET 'https://localhost:5601/api/alerting/rules/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
Index threshold rule
A response that contains information about an index threshold rule.
{
"data": [
{
"id": "3583a470-74f6-11ed-9801-35303b735aef",
"name": "my alert",
"tags": [
"cpu"
],
"params": {
"index": [
"test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "9dca3e00-74f5-11ed-9801-35303b735aef",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
"connector_type_id": ".server-log"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
}
}
],
"enabled": true,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2022-12-06T01:45:23.912Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-12-05T23:40:33.132Z",
"created_by": "elastic",
"updated_at": "2022-12-05T23:40:33.132Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 48,
"last_execution_date": "2022-12-06T01:44:23.983Z"
},
"scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}
A response that contains information about a security rule that has conditional actions.
{
"data": [
{
"id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"name": "security_rule",
"tags": [],
"params": {
"to": "now",
"from": "now-3660s",
"meta": {
"from": "1h",
"kibana_siem_app_url": "https://localhost:5601/app/security"
},
"type": "threshold",
"index": [
"kibana_sample_data_logs"
],
"query": "*",
"author": [],
"ruleId": "an_internal_rule_id",
"threat": [],
"filters": [],
"license": "",
"version": 1,
"language": "kuery",
"severity": "low",
"immutable": false,
"riskScore": 21,
"threshold": {
"field": [
"bytes"
],
"value": 1,
"cardinality": []
},
"maxSignals": 100,
"references": [],
"description": "A security threshold rule.",
"outputIndex": "",
"exceptionsList": [],
"falsePositives": [],
"severityMapping": [],
"riskScoreMapping": []
},
"actions": [
{
"id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "default",
"params": {
"documents": [
{
"rule_id": {
"[object Object]": null
},
"alert_id": {
"[object Object]": null
},
"rule_name": {
"[object Object]": null
},
"context_message": {
"[object Object]": null
}
}
]
},
"frequency": {
"summary": true,
"throttle": null,
"notify_when": "onActiveAlert"
},
"alerts_filter": {
"query": {
"kql": "",
"filters": [
{
"meta": {
"key": "client.geo.region_iso_code",
"alias": null,
"field": "client.geo.region_iso_code",
"index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
"negate": false,
"params": {
"type": "phrase",
"query": "CA-QC"
},
"disabled": false
},
"query": {
"match_phrase": {
"client.geo.region_iso_code": "CA-QC"
}
},
"$state": {
"store": "appState"
}
}
]
},
"timeframe": {
"days": [
7
],
"hours": {
"end": "17:00",
"start": "08:00"
},
"timezone": "UTC"
}
},
"connector_type_id": ".index"
}
],
"enabled": true,
"running": false,
"consumer": "siem",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": [
"Rule execution completed successfully"
],
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2023-05-16T20:27:49.507Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-05-16T15:50:28.358Z",
"created_by": "elastic",
"updated_at": "2023-05-16T20:25:42.559Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": "siem.thresholdRule",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 166,
"last_execution_date": "2023-05-16T20:26:49.590Z"
},
"scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
environment
string Environment
-
name
string Name
DELETE
/api/apm/settings/agent-configuration
curl \
--request DELETE 'https://localhost:5601/api/apm/settings/agent-configuration' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"environment":"prod","name":"node"}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"environment": "prod",
"name": "node"
}
Response examples (200)
{
"result": "string"
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Get agent name for service
Retrieve agentName for a service.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
Query parameters
-
serviceName
string Required The name of the service
GET
/api/apm/settings/agent-configuration/agent_name
curl \
--request GET 'https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"agentName": "nodejs"
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Get environments for service
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
Query parameters
-
serviceName
string The name of the service
GET
/api/apm/settings/agent-configuration/environments
curl \
--request GET 'https://localhost:5601/api/apm/settings/agent-configuration/environments' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"environments": [
{
"alreadyConfigured": true,
"name": "ALL_OPTION_VALUE"
}
]
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Lookup single agent configuration
This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
etag
string If etags match then
applied_by_agentfield will be set totrue -
mark_as_applied_by_agent
boolean markAsAppliedByAgent=truemeans "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags -
service
object Required Service
POST
/api/apm/settings/agent-configuration/search
curl \
--request POST 'https://localhost:5601/api/apm/settings/agent-configuration/search' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"mark_as_applied_by_agent": true,
"service": {
"environment": "prod",
"name": "node"
}
}
Response examples (200)
{
"_id": "string",
"_index": "string",
"_score": 42.0,
"_source": {
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Get source maps
Get an array of Fleet artifacts, including source map uploads. You must have read or all Kibana privileges for the APM and User Experience feature.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
GET
/api/apm/sourcemaps
curl -X GET "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}'
Response examples (200)
A successful response from `GET /api/apm/sourcemaps`.
{
"artifacts": [
{
"type": "sourcemap",
"identifier": "foo-1.0.0",
"relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"body": {
"serviceName": "foo",
"serviceVersion": "1.0.0",
"bundleFilepath": "/test/e2e/general-usecase/bundle.js",
"sourceMap": {
"version": 3,
"file": "static/js/main.chunk.js",
"sources": [
"fleet-source-map-client/src/index.css",
"fleet-source-map-client/src/App.js",
"webpack:///./src/index.css?bb0a",
"fleet-source-map-client/src/index.js",
"fleet-source-map-client/src/reportWebVitals.js"
],
"sourcesContent": [
"content"
],
"mappings": "mapping",
"sourceRoot": ""
}
},
"created": "2021-07-09T20:47:44.812Z",
"id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"compressionAlgorithm": "zlib",
"decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"decodedSize": 441,
"encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
"encodedSize": 237,
"encryptionAlgorithm": "none",
"packageName": "apm"
}
]
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Response examples (501)
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}Upload a source map
Upload a source map for a specific service and version. You must have all Kibana privileges for the APM and User Experience feature.
The maximum payload size is 1mb. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the server.maxPayload variable.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
bundle_filepath
string Required The absolute path of the final bundle as used in the web application.
-
service_name
string Required The name of the service that the service map should apply to.
-
service_version
string Required The version of the service that the service map should apply to.
-
sourcemap
string(binary) Required The source map. It can be a string or file upload. It must follow the source map format specification.
POST
/api/apm/sourcemaps
curl -X POST "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: multipart/form-data' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}' \
-F 'service_name="foo"' \
-F 'service_version="1.0.0"' \
-F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \
-F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"'
Response examples (200)
A successful response from `POST /api/apm/sourcemaps`.
{
"id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"body": "eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI",
"type": "sourcemap",
"created": "2021-07-09T20:47:44.812Z",
"identifier": "foo-1.0.0",
"decodedSize": 441,
"encodedSize": 237,
"packageName": "apm",
"relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
"encryptionAlgorithm": "none",
"compressionAlgorithm": "zlib"
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Response examples (501)
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}Cases
Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors.
Create a case
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
Body
Required
-
assignees
array[object] | null An array containing users that are assigned to the case.
Not more than
10elements. -
category
string A word or phrase that categorizes the case.
Maximum length is
50. connector
object Required One of: Cases_connector_properties_noneobject Cases_connector_properties_cases_webhookobject Cases_connector_properties_jiraobject Cases_connector_properties_resilientobject Cases_connector_properties_servicenowobject Cases_connector_properties_servicenow_sirobject Cases_connector_properties_swimlaneobject Defines properties for connectors when type is
.none.-
customFields
array[object] Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
At least
0but not more than10elements. -
description
string Required The description for the case.
Maximum length is
30000. -
owner
string Required The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases,observability, orsecuritySolution. -
settings
object Required An object that contains the case settings.
-
severity
string The severity of the case.
Values are
critical,high,low, ormedium. Default value islow. -
title
string Required A title for the case.
Maximum length is
160.
POST
/api/cases
curl \
--request POST 'https://localhost:5601/api/cases' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
Request example
{
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
}
]
}
Response examples (200)
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzUzMiwxXQ==",
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"created_at": "2022-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 0,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Search cases
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Query parameters
-
assignees
string | array[string] Filters the returned cases by assignees. Valid values are
noneor unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. -
category
string | array[string] Filters the returned cases by category.
-
defaultSearchOperator
string he default operator to use for the simple_query_string.
Default value is
OR. -
from
string Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
-
page
integer The page number to return.
Default value is
1. -
perPage
integer The number of items to return. Limited to 100 items.
Maximum value is
100. Default value is20. -
reporters
string | array[string] Filters the returned cases by the user name of the reporter.
-
search
string An Elasticsearch simple_query_string query that filters the objects in the response.
-
searchFields
string | array[string] The fields to perform the simple_query_string parsed query against.
-
severity
string The severity of the case.
Values are
critical,high,low, ormedium. -
sortField
string Determines which field is used to sort the results.
Values are
createdAt,updatedAt,closedAt,title,category,status, orseverity. Default value iscreatedAt. -
sortOrder
string Determines the sort order.
Values are
ascordesc. Default value isdesc. -
status
string Filters the returned cases by state.
Values are
closed,in-progress, oropen. -
to
string Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.
GET
/api/cases/_find
curl \
--request GET 'https://localhost:5601/api/cases/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"page": 1,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title",
"status": "open",
"version": "WzExMCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-12T00:16:36.371Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-12T00:27:58.162Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "Case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
],
"total": 1,
"per_page": 5,
"count_open_cases": 1,
"count_closed_cases": 0,
"count_in_progress_cases": 0
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case information
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
GET
/api/cases/{caseId}
curl \
--request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414' \
--header "Authorization: $API_KEY"
Response examples (200)
Retrieves information about a case including its comments.
{
"id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzM2LDFd",
"category": null,
"comments": [
{
"id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-13T15:40:32.335Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T15:40:32.335Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}{
"id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
"tags": [
"observability",
"tag 1"
],
"owner": "observability",
"title": "Observability case title 1",
"status": "in-progress",
"version": "WzI0NywyXQ==",
"category": null,
"comments": [
{
"id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
"rule": {
"id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
"name": "Observability rule"
},
"type": "alert",
"index": [
".internal.alerts-observability.logs.alerts-default-000001"
],
"owner": "observability",
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"version": "WzY3LDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
},
{
"id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
"type": "user",
"owner": "observability",
"comment": "The first comment.",
"version": "WzcyLDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:57.812Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-11-06T19:29:04.086Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": "2023-11-06T19:47:55.662Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "An Observability case description.",
"totalAlerts": 1,
"customFields": [],
"totalComment": 1,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Get all alerts for a case
Technical preview
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
GET
/api/cases/{caseId}/alerts
curl \
--request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/alerts' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "f6a7d0c3-d52d-432c-b2e6-447cd7fce04d",
"index": ".alerts-observability.logs.alerts-default",
"attached_at": "2022-07-25T20:09:40.963Z"
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Delete all case comments and alerts
Deletes all comments and alerts from a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
DELETE
/api/cases/{caseId}/comments
curl \
--request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Attach a file to a case
Attach a file to a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:
- The
Content-Type: multipart/form-dataHTTP header. - The location of the file that is being uploaded.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
POST
/api/cases/{caseId}/files
curl \
--request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \
--header "Authorization: $API_KEY" \
--header "Content-Type: multipart/form-data" \
--header "kbn-xsrf: string" \
--form "file=@file" \
--form "filename=string"
Response examples (200)
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case settings
Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/configure
curl \
--request GET 'https://localhost:5601/api/cases/configure' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "856ee650-6c82-11ee-a20a-6164169afa58",
"error": null,
"owner": "cases",
"version": "WzEyLDNd",
"mappings": [],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"settings": {
"syncAlerts": false
},
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Default text field value."
}
]
},
"description": "A description of the template."
}
],
"created_at": "2024-07-01T17:07:17.767Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": null,
"updated_by": null,
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "Custom text field value."
}
]
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case creators
Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/reporters
curl \
--request GET 'https://localhost:5601/api/cases/reporters' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
{
"email": "jdoe@example.com",
"username": "jdoe",
"full_name": "Jane Doe",
"profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Connectors
Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.
Get connector types
You do not need any Kibana feature privileges to run this API.
Query parameters
-
feature_id
string A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).
GET
/api/actions/connector_types
curl \
--request GET 'https://localhost:5601/api/actions/connector_types' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": ".gen-ai",
"name": "OpenAI",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity",
"generativeAIForObservability",
"generativeAIForSearchPlayground"
],
"minimum_license_required": "enterprise"
},
{
"id": ".bedrock",
"name": "AWS Bedrock",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity",
"generativeAIForObservability",
"generativeAIForSearchPlayground"
],
"minimum_license_required": "enterprise"
},
{
"id": ".gemini",
"name": "Google Gemini",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity"
],
"minimum_license_required": "enterprise"
}
]Path parameters
-
id
string Required An identifier for the connector.
GET
/api/actions/connector/{id}
curl \
--request GET 'https://localhost:5601/api/actions/connector/{id}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"id": "df770e30-8b8b-11ed-a780-3b746c987a81",
"name": "my_server_log_connector",
"config": {},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".server-log",
"is_missing_secrets": false
}Path parameters
-
id
string Required An identifier for the connector.
Body
-
name
string Required The display name for the connector.
config
object The connector configuration details.
One of: bedrock_configobject crowdstrike_configobject d3security_configobject email_configobject gemini_configobject resilient_configobject index_configobject jira_configobject genai_azure_configobject genai_openai_configobject opsgenie_configobject pagerduty_configobject sentinelone_configobject servicenow_configobject servicenow_itom_configobject slack_api_configobject swimlane_configobject thehive_configobject tines_configobject torq_configobject webhook_configobject cases_webhook_configobject xmatters_configobject Defines properties for connectors when type is
.bedrock.secrets
object One of: bedrock_secretsobject crowdstrike_secretsobject d3security_secretsobject email_secretsobject gemini_secretsobject resilient_secretsobject jira_secretsobject teams_secretsobject genai_secretsobject opsgenie_secretsobject pagerduty_secretsobject sentinelone_secretsobject servicenow_secretsobject slack_api_secretsobject swimlane_secretsobject thehive_secretsobject tines_secretsobject torq_secretsobject webhook_secretsobject cases_webhook_secretsobject xmatters_secretsobject Defines secrets for connectors when type is
.bedrock.
PUT
/api/actions/connector/{id}
curl \
--request PUT 'https://localhost:5601/api/actions/connector/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"updated-connector","config":{"index":"updated-index"}}'
Request example
{
"name": "updated-connector",
"config": {
"index": "updated-index"
}
}
Response examples (200)
{
"config": {},
"connector_type_id": "string",
"id": "string",
"is_deprecated": true,
"is_missing_secrets": true,
"is_preconfigured": true,
"is_system_action": true,
"name": "string"
}Path parameters
-
id
string Required An identifier for the connector.
Body
-
connector_type_id
string Required The type of connector.
-
name
string Required The display name for the connector.
config
object The connector configuration details.
One of: bedrock_configobject crowdstrike_configobject d3security_configobject email_configobject gemini_configobject resilient_configobject index_configobject jira_configobject genai_azure_configobject genai_openai_configobject opsgenie_configobject pagerduty_configobject sentinelone_configobject servicenow_configobject servicenow_itom_configobject slack_api_configobject swimlane_configobject thehive_configobject tines_configobject torq_configobject webhook_configobject cases_webhook_configobject xmatters_configobject Defines properties for connectors when type is
.bedrock.secrets
object One of: bedrock_secretsobject crowdstrike_secretsobject d3security_secretsobject email_secretsobject gemini_secretsobject resilient_secretsobject jira_secretsobject teams_secretsobject genai_secretsobject opsgenie_secretsobject pagerduty_secretsobject sentinelone_secretsobject servicenow_secretsobject slack_api_secretsobject swimlane_secretsobject thehive_secretsobject tines_secretsobject torq_secretsobject webhook_secretsobject cases_webhook_secretsobject xmatters_secretsobject Defines secrets for connectors when type is
.bedrock.
POST
/api/actions/connector/{id}
curl \
--request POST 'https://localhost:5601/api/actions/connector/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"email-connector-1","config":{"from":"tester@example.com","host":"https://example.com","port":1025,"secure":false,"hasAuth":true,"service":"other"},"secrets":{"user":"username","password":"password"},"connector_type_id":".email"}'
Request examples
Create an email connector.
{
"name": "email-connector-1",
"config": {
"from": "tester@example.com",
"host": "https://example.com",
"port": 1025,
"secure": false,
"hasAuth": true,
"service": "other"
},
"secrets": {
"user": "username",
"password": "password"
},
"connector_type_id": ".email"
}{
"name": "my-connector",
"config": {
"index": "test-index"
},
"connector_type_id": ".index"
}{
"name": "my-webhook-connector",
"config": {
"url": "https://example.com",
"method": "post",
"authType": "webhook-authentication-ssl",
"certType": "ssl-crt-key"
},
"secrets": {
"crt": "QmFnIEF0dH...",
"key": "LS0tLS1CRUdJ...",
"password": "my-passphrase"
},
"connector_type_id": ".webhook"
}{
"name": "my-xmatters-connector",
"config": {
"usesBasic": false
},
"secrets": {
"secretsUrl": "https://example.com?apiKey=xxxxx"
},
"connector_type_id": ".xmatters"
}
Response examples (200)
A new email connector.
{
"id": "90a82c60-478f-11ee-a343-f98a117c727f",
"name": "email-connector-1",
"config": {
"from": "tester@example.com",
"host": "https://example.com",
"port": 1025,
"secure": false,
"hasAuth": true,
"service": "other",
"clientId": null,
"tenantId": null,
"oauthTokenUrl": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".email",
"is_missing_secrets": false
}{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"name": "my-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".index",
"is_missing_secrets": false
}{
"id": "900eb010-3b9d-11ee-a642-8ffbb94e38bd",
"name": "my-webhook-connector",
"config": {
"url": "https://example.com",
"method": "post",
"hasAuth": true,
"headers": null,
"authType": "webhook-authentication-ssl",
"certType": "ssl-crt-key",
"verificationMode": "full"
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".webhook",
"is_missing_secrets": false
}{
"id": "df770e30-8b8b-11ed-a780-3b746c987a81",
"name": "my_server_log_connector",
"config": {},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".server-log",
"is_missing_secrets": false
}