Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
The API accepts 2 different authentication methods:
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Basic auth tokens are constructed with the Basic
keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a :
colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
Spaces enable you to organize your dashboards and other saved objects into meaningful categories. You can use the default space or create your own spaces.
To run APIs in non-default spaces, you must add s/{space_id}/
to the path.
For example:
curl -X GET "http://localhost:5601/s/marketing/api/data_views"
If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier.
To learn more, check out Spaces.
You must have read
privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.
curl \
--request GET https://localhost:5601/api/alerting/_health
{
"is_sufficiently_secure": true,
"alerting_framework_health": {
"read_health": {
"status": "ok",
"timestamp": "2023-01-13T01:28:00.280Z"
},
"execution_health": {
"status": "ok",
"timestamp": "2023-01-13T01:28:00.280Z"
},
"decryption_health": {
"status": "ok",
"timestamp": "2023-01-13T01:28:00.280Z"
}
},
"has_permanent_encryption_key": true
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
The identifier for the rule.
curl \
--request DELETE https://localhost:5601/api/alerting/rule/{id} \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_enable \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_mute_all \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
--header "kbn-xsrf: true"
The identifier for the rule.
The identifier for the alert.
curl \
--request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute \
--header "kbn-xsrf: true"
The identifier for the rule.
The identifier for the alert.
curl \
--request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute \
--header "kbn-xsrf: true"
The number of rules to return per page.
Minimum value is 0
. Default value is 10
.
The page number to return.
Minimum value is 1
. Default value is 1
.
An Elasticsearch simple_query_string query that filters the objects in the response.
The default operator to use for the simple_query_string.
Values are OR
or AND
. Default value is OR
.
The fields to perform the simple_query_string parsed query against.
Determines which field is used to sort the results. The field must exist in the attributes
key of the response.
Determines the sort order.
Values are asc
or desc
.
Filters the rules that have a relation with the reference objects with a specific type and identifier.
Additional properties are NOT allowed.
The fields to return in the attributes
key of the response.
A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle"
. However, if you used a direct attribute of a saved object, such as updatedAt
, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22
.
List of consumers to filter.
curl \
--request GET https://localhost:5601/api/alerting/rules/_find
{
"data": [
{
"id": "3583a470-74f6-11ed-9801-35303b735aef",
"name": "my alert",
"tags": [
"cpu"
],
"params": {
"index": [
"test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "9dca3e00-74f5-11ed-9801-35303b735aef",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
"connector_type_id": ".server-log"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
}
}
],
"enabled": true,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2022-12-06T01:45:23.912Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-12-05T23:40:33.132Z",
"created_by": "elastic",
"updated_at": "2022-12-05T23:40:33.132Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 48,
"last_execution_date": "2022-12-06T01:44:23.983Z"
},
"scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}
{
"data": [
{
"id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"name": "security_rule",
"tags": [],
"params": {
"to": "now",
"from": "now-3660s",
"meta": {
"from": "1h",
"kibana_siem_app_url": "https://localhost:5601/app/security"
},
"type": "threshold",
"index": [
"kibana_sample_data_logs"
],
"query": "*",
"author": [],
"ruleId": "an_internal_rule_id",
"threat": [],
"filters": [],
"license": "",
"version": 1,
"language": "kuery",
"severity": "low",
"immutable": false,
"riskScore": 21,
"threshold": {
"field": [
"bytes"
],
"value": 1,
"cardinality": []
},
"maxSignals": 100,
"references": [],
"description": "A security threshold rule.",
"outputIndex": "",
"exceptionsList": [],
"falsePositives": [],
"severityMapping": [],
"riskScoreMapping": []
},
"actions": [
{
"id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "default",
"params": {
"documents": [
{
"rule_id": {
"[object Object]": null
},
"alert_id": {
"[object Object]": null
},
"rule_name": {
"[object Object]": null
},
"context_message": {
"[object Object]": null
}
}
]
},
"frequency": {
"summary": true,
"throttle": null,
"notify_when": "onActiveAlert"
},
"alerts_filter": {
"query": {
"kql": "",
"filters": [
{
"meta": {
"key": "client.geo.region_iso_code",
"alias": null,
"field": "client.geo.region_iso_code",
"index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
"negate": false,
"params": {
"type": "phrase",
"query": "CA-QC"
},
"disabled": false
},
"query": {
"match_phrase": {
"client.geo.region_iso_code": "CA-QC"
}
},
"$state": {
"store": "appState"
}
}
]
},
"timeframe": {
"days": [
7
],
"hours": {
"end": "17:00",
"start": "08:00"
},
"timezone": "UTC"
}
},
"connector_type_id": ".index"
}
],
"enabled": true,
"running": false,
"consumer": "siem",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": [
"Rule execution completed successfully"
],
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2023-05-16T20:27:49.507Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-05-16T15:50:28.358Z",
"created_by": "elastic",
"updated_at": "2023-05-16T20:25:42.559Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": "siem.thresholdRule",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 166,
"last_execution_date": "2023-05-16T20:26:49.590Z"
},
"scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}
Adjust APM agent configuration without need to redeploy your application.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
If the config exists ?overwrite=true is required
Agent name
Service
Additional properties are allowed.
Agent configuration settings
curl \
--request PUT https://localhost:5601/api/apm/settings/agent-configuration \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"agent_name": "string",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
{}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Retrieve agentName
for a service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
The name of the service
curl \
--request GET https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node \
--header "elastic-api-version: 2023-10-31"
{
"agentName": "nodejs"
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
The name of the service
curl \
--request GET https://localhost:5601/api/apm/settings/agent-configuration/environments \
--header "elastic-api-version: 2023-10-31"
{
"environments": [
{
"alreadyConfigured": true,
"name": "ALL_OPTION_VALUE"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
If etags match then applied_by_agent
field will be set to true
markAsAppliedByAgent=true
means "force setting it to true regardless of etag".
This is needed for Jaeger agent that doesn't have etags
Service
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/apm/settings/agent-configuration/search \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"mark_as_applied_by_agent": true,
"service": {
"environment": "prod",
"name": "node"
}
}
{
"_id": "string",
"_index": "string",
"_score": 42.0,
"_source": {
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Configure APM agent keys to authorize requests from APM agents to the APM Server.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
Agent name
Privileges configuration
Values are event:write
or config_agent:read
.
curl \
--request POST https://localhost:5601/api/apm/agent_keys \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"name":"string","privileges":["event:write"]}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"name": "string",
"privileges": [
"event:write"
]
}
{
"agentKey": {
"api_key": "string",
"encoded": "string",
"expiration": 42,
"id": "string",
"name": "string"
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.
Create a new annotation for a specific service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
The name of the service
curl \
--request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"@timestamp": "string",
"message": "string",
"service": {
"environment": "string",
"version": "string"
},
"tags": [
"string"
]
}
{
"_id": "string",
"_index": "string",
"_source": {
"@timestamp": "string",
"annotation": {
"title": "string",
"type": "string"
},
"event": {
"created": "string"
},
"message": "string",
"service": {
"environment": "string",
"name": "string",
"version": "string"
},
"tags": [
"string"
]
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Search for annotations related to a specific service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
The name of the service
The environment to filter annotations by
The start date for the search
The end date for the search
curl \
--request GET https://localhost:5601/api/apm/services/{serviceName}/annotation/search \
--header "elastic-api-version: 2023-10-31"
{
"annotations": [
{
"@timestamp": 42.0,
"id": "string",
"text": "string",
"type": "version"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Create APM fleet server schema.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
curl \
--request POST https://localhost:5601/api/apm/fleet/apm_server_schema \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"schema":{"foo":"bar"}}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"schema": {
"foo": "bar"
}
}
{}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Returns an array of Fleet artifacts, including source map uploads.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
curl \
--request GET https://localhost:5601/api/apm/sourcemaps \
--header "elastic-api-version: 2023-10-31"
{
"artifacts": [
{
"body": {
"bundleFilepath": "string",
"serviceName": "string",
"serviceVersion": "string",
"sourceMap": {
"file": "string",
"mappings": "string",
"sourceRoot": "string",
"sources": [
"string"
],
"sourcesContent": [
"string"
],
"version": 42.0
}
},
"compressionAlgorithm": "string",
"created": "string",
"decodedSha256": "string",
"decodedSize": 42.0,
"encodedSha256": "string",
"encodedSize": 42.0,
"encryptionAlgorithm": "string",
"id": "string",
"identifier": "string",
"packageName": "string",
"relative_url": "string",
"type": "string"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
The absolute path of the final bundle as used in the web application.
The name of the service that the service map should apply to.
The version of the service that the service map should apply to.
The source map. String or file upload. It must follow the source map revision 3 proposal.
curl \
--request POST https://localhost:5601/api/apm/sourcemaps \
--header "Content-Type: multipart/form-data" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--form "bundle_filepath=string" \
--form "service_name=string" \
--form "service_version=string" \
--form "sourcemap=@file"
{
"body": "string",
"compressionAlgorithm": "string",
"created": "string",
"decodedSha256": "string",
"decodedSize": 42.0,
"encodedSha256": "string",
"encodedSize": 42.0,
"encryptionAlgorithm": "string",
"id": "string",
"identifier": "string",
"packageName": "string",
"relative_url": "string",
"type": "string"
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
Source map identifier
Successful response
Additional properties are NOT allowed.
Bad Request response
Unauthorized response
Forbidden response
Internal Server Error response
Not Implemented response
curl \
--request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true"
{}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Filters the returned cases by assignees. Valid values are none
or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.
Filters the returned cases by category.
he default operator to use for the simple_query_string.
Default value is OR
.
Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
The page number to return.
Default value is 1
.
The number of items to return. Limited to 100 items.
Maximum value is 100
. Default value is 20
.
Filters the returned cases by the user name of the reporter.
An Elasticsearch simple_query_string query that filters the objects in the response.
The fields to perform the simple_query_string parsed query against.
The severity of the case.
Values are critical
, high
, low
, or medium
.
Determines which field is used to sort the results.
Values are createdAt
, updatedAt
, closedAt
, title
, category
, status
, or severity
. Default value is createdAt
.
Determines the sort order.
Values are asc
or desc
. Default value is desc
.
Filters the returned cases by state.
Values are closed
, in-progress
, or open
.
Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.
curl \
--request GET https://localhost:5601/api/cases/_find
{
"page": 1,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title",
"status": "open",
"version": "WzExMCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-12T00:16:36.371Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-12T00:27:58.162Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "Case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
],
"total": 1,
"per_page": 5,
"count_open_cases": 1,
"count_closed_cases": 0,
"count_in_progress_cases": 0
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414
{
"id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzM2LDFd",
"category": null,
"comments": [
{
"id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-13T15:40:32.335Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T15:40:32.335Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
{
"id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
"tags": [
"observability",
"tag 1"
],
"owner": "observability",
"title": "Observability case title 1",
"status": "in-progress",
"version": "WzI0NywyXQ==",
"category": null,
"comments": [
{
"id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
"rule": {
"id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
"name": "Observability rule"
},
"type": "alert",
"index": [
".internal.alerts-observability.logs.alerts-default-000001"
],
"owner": "observability",
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"version": "WzY3LDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
},
{
"id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
"type": "user",
"owner": "observability",
"comment": "The first comment.",
"version": "WzcyLDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:57.812Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-11-06T19:29:04.086Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": "2023-11-06T19:47:55.662Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "An Observability case description.",
"totalAlerts": 1,
"customFields": [],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/alerts
[
{
"id": "f6a7d0c3-d52d-432c-b2e6-447cd7fce04d",
"index": ".alerts-observability.logs.alerts-default",
"attached_at": "2022-07-25T20:09:40.963Z"
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Deletes all comments and alerts from a case. You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request DELETE https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
--header "kbn-xsrf: string"
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.
curl \
--request DELETE https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 \
--header "kbn-xsrf: string"
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have all
privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
An identifier for the connector. To retrieve connector IDs, use the find connectors API.
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/connector/abed3a70-71bd-11ea-a0b2-c51ea50a58e2/_push \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string"
# Headers
kbn-xsrf: string
# Payload
{}
{
"id": "b917f300-0ed9-11ed-bd18-65557fe66949",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzE3NjgsM10=",
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"closed_at": null,
"closed_by": null,
"connector": {
"id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "Low",
"issueType": "10006"
}
},
"created_at": "2022-07-29T00:59:39.444Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": "2022-07-29T01:20:58.436Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"description": "A case description.",
"totalAlerts": 0,
"totalComment": 0,
"external_service": {
"pushed_at": "2022-07-29T01:20:58.436Z",
"pushed_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"external_id": "71926",
"connector_id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
"external_url": "https://cases.jira.com",
"connector_name": "My connector",
"external_title": "ES-554"
}
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Attach a file to a case. You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:
Content-Type: multipart/form-data
HTTP header.The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files \
--header "Content-Type: multipart/form-data" \
--header "kbn-xsrf: string" \
--form "file=@file" \
--form "filename=string"
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Retrives a paginated list of user activity for a case. You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
The page number to return.
Default value is 1
.
The number of items to return. Limited to 100 items.
Maximum value is 100
. Default value is 20
.
Determines the sort order.
Values are asc
or desc
. Default value is desc
.
Determines the types of user actions to return.
Values are action
, alert
, assignees
, attachment
, comment
, connector
, create_case
, description
, pushed
, settings
, severity
, status
, tags
, title
, or user
.
curl \
--request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find
{
"page": 1,
"total": 3,
"perPage": 20,
"userActions": [
{
"id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
"type": "create_case",
"owner": "cases",
"action": "create",
"payload": {
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"category": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"description": "A case description.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
]
},
"version": "WzM1ODg4LDFd",
"comment_id": null,
"created_at": "2023-10-20T01:17:22.150Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
},
{
"id": "57af14a0-03b1-11ed-920c-974bfa104448",
"type": "comment",
"owner": "cases",
"action": "create",
"payload": {
"type": "user",
"owner": "cases",
"comment": "A new comment"
},
"version": "WzM1ODg4LDFa",
"comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
"created_at": "2023-10-14T20:12:53.354Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
},
{
"id": "573c6980-6123-11ed-aa41-81a0a61fe447",
"type": "assignees",
"owner": "cases",
"action": "add",
"payload": {
"assignees": {
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
},
"version": "WzM1ODg4LDFb",
"comment_id": null,
"created_at": "2023-10-20T01:10:28.238Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
}
]
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
An identifier for the alert.
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
curl \
--request GET https://localhost:5601/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540
[
{
"id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
"title": "security_case"
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.
Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing
) or not automatically closed (close-by-user
).
Values are close-by-pushing
or close-by-user
.
An object that contains the connector configuration.
Additional properties are allowed.
Custom fields case configuration.
At least 0
but not more than 10
elements.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
curl \
--request POST https://localhost:5601/api/cases/configure \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"owner":"cases","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"templates":[{"key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"],"caseFields":{"tags":["Default case tag"],"title":"Default case title","category":"Default-category","assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"description":"A default description for cases.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}]},"description":"A description of the template."}],"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":false,"defaultValue":"My custom field default value."}]}'
{
"owner": "cases",
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "A text field value for the template."
}
]
},
"description": "A description of the template."
}
],
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "My custom field default value."
}
]
}
{
"id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
"error": null,
"owner": "cases",
"version": "WzIwNzMsMV0=",
"mappings": [
{
"source": "title",
"target": "summary",
"action_type": "overwrite"
},
{
"source": "description",
"target": "description",
"action_type": "overwrite"
},
{
"source": "comments",
"target": "comments",
"action_type": "append"
},
{
"source": "tags",
"target": "labels",
"action_type": "overwrite"
}
],
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "A text field value for the template."
}
]
},
"description": "A description of the template."
}
],
"created_at": "2024-07-01T17:07:17.767Z",
"created_by": {
"email": "null,",
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "My custom field default value."
}
]
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the case was created.
An identifier for the configuration.
Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing
) or not automatically closed (close-by-user
).
Values are close-by-pushing
or close-by-user
.
An object that contains the connector configuration.
Additional properties are allowed.
Custom fields case configuration.
The version of the connector. To retrieve the version value, use the get configuration API.
curl \
--request PATCH https://localhost:5601/api/cases/configure/3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"version":"WzExOSw0XQ==","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":true,"defaultValue":"A new default value."},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","label":"my-toggle","required":false}]}'
{
"version": "WzExOSw0XQ==",
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": true,
"defaultValue": "A new default value."
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"label": "my-toggle",
"required": false
}
]
}
{
"id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
"error": null,
"owner": "cases",
"version": "WzI2LDNd",
"mappings": [
{
"source": "title",
"target": "summary",
"action_type": "overwrite"
},
{
"source": "description",
"target": "description",
"action_type": "overwrite"
},
{
"source": "tags",
"target": "labels",
"action_type": "overwrite"
},
{
"source": "comments",
"target": "comments",
"action_type": "append"
}
],
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"templates": [],
"created_at": "2024-07-01T17:07:17.767Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2024-07-19T00:52:42.401Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": true,
"defaultValue": "A new default value."
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"label": "my-toggle",
"required": false
}
]
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.
An identifier for the connector.
curl \
--request GET https://localhost:5601/api/actions/connector/{id}
{
"id": "df770e30-8b8b-11ed-a780-3b746c987a81",
"name": "my_server_log_connector",
"config": {},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".server-log",
"is_missing_secrets": false
}
An identifier for the connector.
The display name for the connector.
The connector configuration details.
Defines properties for connectors when type is .bedrock
.
Defines secrets for connectors when type is .bedrock
.
curl \
--request PUT https://localhost:5601/api/actions/connector/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"updated-connector","config":{"index":"updated-index"}}'
{
"name": "updated-connector",
"config": {
"index": "updated-index"
}
}
{
"config": {},
"connector_type_id": "string",
"id": "string",
"is_deprecated": true,
"is_missing_secrets": true,
"is_preconfigured": true,
"is_system_action": true,
"name": "string"
}