Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Kibana APIs
1.0.2
Base URL
https://localhost:5601The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- PATCH: Applies partial modifications to the existing information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with kbn: and run the request in Dev Tools → Console.
For example:
GET kbn:/api/data_views
For more information about the console, refer to Run API requests.
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
Documentation source and versions
This documentation is derived from the main branch of the kibana repository.
It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This documentation contains work-in-progress information for future Elastic Stack releases.
This is version 1.0.2 of this API documentation.
Last update on Feb 11, 2025.
Authentication
The API accepts 2 different authentication methods:
Basic auth (http)
Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a : colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
Disable a rule
Path parameters
-
The identifier for the rule.
POST
/api/alerting/rule/{id}/_disable
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"untrack":true}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"untrack": true
}Unmute all alerts
Path parameters
-
The identifier for the rule.
POST
/api/alerting/rule/{id}/_unmute_all
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
--header "kbn-xsrf: true"Create a service annotation
Create a new annotation for a specific service.
Headers
-
The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
A required header to protect against CSRF attacks
Path parameters
-
The name of the service
POST
/api/apm/services/{serviceName}/annotation
curl \
--request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"@timestamp": "string",
"message": "string",
"service": {
"environment": "string",
"version": "string"
},
"tags": [
"string"
]
}
Response examples (200)
{
"_id": "string",
"_index": "string",
"_source": {
"@timestamp": "string",
"annotation": {
"title": "string",
"type": "string"
},
"event": {
"created": "string"
},
"message": "string",
"service": {
"environment": "string",
"name": "string",
"version": "string"
},
"tags": [
"string"
]
}
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Get source maps
Returns an array of Fleet artifacts, including source map uploads.
Headers
-
The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
GET
/api/apm/sourcemaps
curl \
--request GET https://localhost:5601/api/apm/sourcemaps \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"artifacts": [
{
"body": {
"bundleFilepath": "string",
"serviceName": "string",
"serviceVersion": "string",
"sourceMap": {
"file": "string",
"mappings": "string",
"sourceRoot": "string",
"sources": [
"string"
],
"sourcesContent": [
"string"
],
"version": 42.0
}
},
"compressionAlgorithm": "string",
"created": "string",
"decodedSha256": "string",
"decodedSize": 42.0,
"encodedSha256": "string",
"encodedSize": 42.0,
"encryptionAlgorithm": "string",
"id": "string",
"identifier": "string",
"packageName": "string",
"relative_url": "string",
"type": "string"
}
]
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Response examples (501)
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}Get case connectors
Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
GET
/api/cases/configure/connectors/_find
curl \
--request GET https://localhost:5601/api/cases/configure/connectors/_find
Response examples (200)
[
{
"id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
"name": "my-Jira",
"config": {
"apiUrl": "https://elastic.atlassian.net/",
"projectKey": "ES"
},
"actionTypeId": ".jira",
"isDeprecated": false,
"isPreconfigured": false,
"isMissingSecrets": false,
"referencedByCount": 0
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case creators
Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
Query parameters
-
owner string | array[string]
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/reporters
curl \
--request GET https://localhost:5601/api/cases/reporters
Response examples (200)
[
{
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
{
"email": "jdoe@example.com",
"username": "jdoe",
"full_name": "Jane Doe",
"profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get connector information
Path parameters
-
An identifier for the connector.
GET
/api/actions/connector/{id}
curl \
--request GET https://localhost:5601/api/actions/connector/{id}
Response examples (200)
{
"id": "df770e30-8b8b-11ed-a780-3b746c987a81",
"name": "my_server_log_connector",
"config": {},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".server-log",
"is_missing_secrets": false
}Update an existing dashboard Technical Preview
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Path parameters
-
A unique identifier for the dashboard.
Body
-
Additional properties are NOT allowed.
-
references array[object]
PUT
/api/dashboards/dashboard/{id}
curl \
--request PUT https://localhost:5601/api/dashboards/dashboard/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}]}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"attributes": {
"controlGroupInput": {
"autoApplySelections": true,
"chainingSystem": "HIERARCHICAL",
"controls": [
{
"controlConfig": {},
"grow": false,
"id": "string",
"order": 42.0,
"type": "string",
"width": "medium"
}
],
"enhancements": {},
"ignoreParentSettings": {
"ignoreFilters": false,
"ignoreQuery": false,
"ignoreTimerange": false,
"ignoreValidations": false
},
"labelPosition": "oneLine"
},
"description": "",
"kibanaSavedObjectMeta": {
"searchSource": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": "string",
"controlledBy": "string",
"disabled": true,
"field": "string",
"group": "string",
"index": "string",
"isMultiIndex": true,
"key": "string",
"negate": true,
"type": "string",
"value": "string"
},
"query": {}
}
],
"query": {
"language": "string",
"query": "string"
},
"sort": [
{}
],
"type": "string"
}
},
"options": {
"hidePanelTitles": false,
"syncColors": true,
"syncCursor": true,
"syncTooltips": true,
"useMargins": true
},
"panels": [
{
"gridData": {
"h": 15,
"i": "string",
"w": 24,
"x": 42.0,
"y": 42.0
},
"id": "string",
"panelConfig": {
"description": "string",
"enhancements": {},
"hidePanelTitles": true,
"savedObjectId": "string",
"title": "string",
"version": "string"
},
"panelIndex": "string",
"panelRefName": "string",
"title": "string",
"type": "string",
"version": "string"
}
],
"refreshInterval": {
"display": "string",
"pause": true,
"section": 42.0,
"value": 42.0
},
"timeFrom": "string",
"timeRestore": false,
"timeTo": "string",
"title": "string",
"version": 42.0
},
"references": [
{
"id": "string",
"name": "string",
"type": "string"
}
]
}
Response examples (200)
{
"item": {
"attributes": {
"controlGroupInput": {
"autoApplySelections": true,
"chainingSystem": "HIERARCHICAL",
"controls": [
{
"controlConfig": {},
"grow": false,
"id": "string",
"order": 42.0,
"type": "string",
"width": "medium"
}
],
"enhancements": {},
"ignoreParentSettings": {
"ignoreFilters": false,
"ignoreQuery": false,
"ignoreTimerange": false,
"ignoreValidations": false
},
"labelPosition": "oneLine"
},
"description": "",
"kibanaSavedObjectMeta": {
"searchSource": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": "string",
"controlledBy": "string",
"disabled": true,
"field": "string",
"group": "string",
"index": "string",
"isMultiIndex": true,
"key": "string",
"negate": true,
"type": "string",
"value": "string"
},
"query": {}
}
],
"query": {
"language": "string",
"query": "string"
},
"sort": [
{}
],
"type": "string"
}
},
"options": {
"hidePanelTitles": false,
"syncColors": true,
"syncCursor": true,
"syncTooltips": true,
"useMargins": true
},
"panels": [
{
"gridData": {
"h": 15,
"i": "string",
"w": 24,
"x": 42.0,
"y": 42.0
},
"id": "string",
"panelConfig": {
"description": "string",
"enhancements": {},
"hidePanelTitles": true,
"savedObjectId": "string",
"title": "string",
"version": "string"
},
"panelIndex": "string",
"panelRefName": "string",
"title": "string",
"type": "string",
"version": "string"
}
],
"refreshInterval": {
"display": "string",
"pause": true,
"section": 42.0,
"value": 42.0
},
"timeFrom": "string",
"timeRestore": false,
"timeTo": "string",
"title": "string",
"version": 42.0
},
"createdAt": "string",
"createdBy": "string",
"error": {
"error": "string",
"message": "string",
"metadata": {},
"statusCode": 42.0
},
"id": "string",
"managed": true,
"namespaces": [
"string"
],
"originId": "string",
"references": [
{
"id": "string",
"name": "string",
"type": "string"
}
],
"type": "string",
"updatedAt": "string",
"updatedBy": "string",
"version": "string"
}
}Delete a dashboard Technical Preview
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Path parameters
-
A unique identifier for the dashboard.
DELETE
/api/dashboards/dashboard/{id}
curl \
--request DELETE https://localhost:5601/api/dashboards/dashboard/{id} \
--header "kbn-xsrf: true"Data views
Data view APIs enable you to manage data views, formerly known as Kibana index patterns.
Create a data view
POST
/api/data_views/data_view
curl \
--request POST https://localhost:5601/api/data_views/data_view \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"data_view":{"name":"My Logstash data view","title":"logstash-*","runtimeFieldMap":{"runtime_shape_name":{"type":"keyword","script":{"source":"emit(doc['shape_name'].value)"}}}}}'
Request example
{
"data_view": {
"name": "My Logstash data view",
"title": "logstash-*",
"runtimeFieldMap": {
"runtime_shape_name": {
"type": "keyword",
"script": {
"source": "emit(doc['shape_name'].value)"
}
}
}
}
}
Response examples (200)
{
"data_view": {
"allowNoIndex": true,
"fieldAttrs": {
"additionalProperty1": {
"count": 42,
"customDescription": "string",
"customLabel": "string"
},
"additionalProperty2": {
"count": 42,
"customDescription": "string",
"customLabel": "string"
}
},
"fieldFormats": {},
"fields": {},
"id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
"name": "string",
"namespaces": [
"default"
],
"runtimeFieldMap": {
"additionalProperty1": {
"script": {
"source": "string"
},
"type": "string"
},
"additionalProperty2": {
"script": {
"source": "string"
},
"type": "string"
}
},
"sourceFilters": [
{
"value": "string"
}
],
"timeFieldName": "string",
"title": "string",
"typeMeta": {
"aggs": {},
"params": {}
},
"version": "WzQ2LDJd"
}
}
Response examples (400)
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}Get a runtime field
Path parameters
-
The name of the runtime field.
-
An identifier for the data view.
GET
/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
--request GET https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
Response examples (200)
{
"fields": [
{
"name": "hour_of_day",
"type": "number",
"count": 0,
"esTypes": [
"long"
],
"scripted": false,
"searchable": true,
"aggregatable": true,
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
},
"shortDotsEnable": false,
"readFromDocValues": false
}
],
"data_view": {
"id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
"name": "Kibana Sample Data Flights",
"title": "kibana_sample_data_flights",
"fields": {
"_id": {
"name": "_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_id"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Dest": {
"name": "Dest",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"Origin": {
"name": "Origin",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_index": {
"name": "_index",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_index"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": false
},
"_score": {
"name": "_score",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Carrier": {
"name": "Carrier",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_source": {
"name": "_source",
"type": "_source",
"count": 0,
"format": {
"id": "_source"
},
"esTypes": [
"_source"
],
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Cancelled": {
"name": "Cancelled",
"type": "boolean",
"count": 0,
"format": {
"id": "boolean"
},
"esTypes": [
"boolean"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightNum": {
"name": "FlightNum",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"dayOfWeek": {
"name": "dayOfWeek",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"timestamp": {
"name": "timestamp",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestRegion": {
"name": "DestRegion",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestCountry": {
"name": "DestCountry",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestWeather": {
"name": "DestWeather",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelay": {
"name": "FlightDelay",
"type": "boolean",
"count": 0,
"format": {
"id": "boolean"
},
"esTypes": [
"boolean"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"hour_of_day": {
"name": "hour_of_day",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "00"
}
},
"esTypes": [
"long"
],
"scripted": false,
"searchable": true,
"aggregatable": true,
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
},
"shortDotsEnable": false,
"readFromDocValues": false
},
"DestCityName": {
"name": "DestCityName",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestLocation": {
"name": "DestLocation",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginRegion": {
"name": "OriginRegion",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestAirportID": {
"name": "DestAirportID",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DistanceMiles": {
"name": "DistanceMiles",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightTimeMin": {
"name": "FlightTimeMin",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginCountry": {
"name": "OriginCountry",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginWeather": {
"name": "OriginWeather",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"AvgTicketPrice": {
"name": "AvgTicketPrice",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelayMin": {
"name": "FlightDelayMin",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightTimeHour": {
"name": "FlightTimeHour",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginCityName": {
"name": "OriginCityName",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginLocation": {
"name": "OriginLocation",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelayType": {
"name": "FlightDelayType",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginAirportID": {
"name": "OriginAirportID",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DistanceKilometers": {
"name": "DistanceKilometers",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
}
},
"version": "WzM2LDJd",
"fieldAttrs": {},
"allowNoIndex": false,
"fieldFormats": {
"hour_of_day": {
"id": "number",
"params": {
"pattern": "00"
}
},
"AvgTicketPrice": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
}
},
"sourceFilters": [],
"timeFieldName": "timestamp",
"runtimeFieldMap": {
"hour_of_day": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
}
}
}
}
Response examples (404)
{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}Upgrade an agent
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
Body
-
force boolean
-
skipRateLimitCheck boolean
-
source_uri string
POST
/api/fleet/agents/{agentId}/upgrade
curl \
--request POST https://localhost:5601/api/fleet/agents/{agentId}/upgrade \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"skipRateLimitCheck":true,"source_uri":"string","version":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"skipRateLimitCheck": true,
"source_uri": "string",
"version": "string"
}
Response examples (200)
{}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Bulk reassign agents
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
Body
agents array[string] | string Required
-
batchSize number
-
includeInactive boolean
Default value is
false.
POST
/api/fleet/agents/bulk_reassign
curl \
--request POST https://localhost:5601/api/fleet/agents/bulk_reassign \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"agents": [
"string"
],
"batchSize": 42.0,
"includeInactive": false,
"policy_id": "string"
}
Response examples (200)
{
"actionId": "string"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Delete an agent binary download source
Delete an agent binary download source by ID.
[Required authorization] Route required privileges: ALL of [fleet-settings-all].
DELETE
/api/fleet/agent_download_sources/{sourceId}
curl \
--request DELETE https://localhost:5601/api/fleet/agent_download_sources/{sourceId} \
--header "kbn-xsrf: true"
Response examples (200)
{
"id": "string"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Bulk get agent policies
[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].
Query parameters
-
format string
Values are
simplifiedorlegacy.
Body
-
full boolean
get full policies with package policies populated
-
list of package policy ids
-
ignoreMissing boolean
POST
/api/fleet/agent_policies/_bulk_get
curl \
--request POST https://localhost:5601/api/fleet/agent_policies/_bulk_get \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"full":true,"ids":["string"],"ignoreMissing":true}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"full": true,
"ids": [
"string"
],
"ignoreMissing": true
}
Response examples (200)
{
"items": [
{
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Delete an uploaded file
Delete a file uploaded by an agent.
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
DELETE
/api/fleet/agents/files/{fileId}
curl \
--request DELETE https://localhost:5601/api/fleet/agents/files/{fileId} \
--header "kbn-xsrf: true"
Response examples (200)
{
"deleted": true,
"id": "string"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Install a package from the registry
[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].
Path parameters
-
pkgVersion string
Query parameters
-
prerelease boolean
-
ignoreMappingUpdateErrors boolean
Default value is
false. -
skipDataStreamRollover boolean
Default value is
false.
Body
-
force boolean
Default value is
false. -
ignore_constraints boolean
Default value is
false.
POST
/api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
--request POST https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":false,"ignore_constraints":false}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"force": false,
"ignore_constraints": false
}
Response examples (200)
{
"_meta": {
"install_source": "string"
},
"items": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Get a package file
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
GET
/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
curl \
--request GET https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Get an inputs template
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
Query parameters
-
format string
Values are
json,yml, oryaml. Default value isjson. -
prerelease boolean
-
ignoreUnverified boolean
GET
/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
curl \
--request GET https://localhost:5601/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
Response examples (200)
String-1
string{
"inputs": [
{
"id": "string",
"streams": [
{
"data_stream": {
"dataset": "string",
"type": "string"
},
"id": "string"
}
],
"type": "string"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Get enrollment API keys
[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].
GET
/api/fleet/enrollment_api_keys
curl \
--request GET https://localhost:5601/api/fleet/enrollment_api_keys
Response examples (200)
{
"items": [
{
"active": true,
"api_key": "string",
"api_key_id": "string",
"created_at": "string",
"id": "string",
"name": "string",
"policy_id": "string"
}
],
"list": [
{
"active": true,
"api_key": "string",
"api_key_id": "string",
"created_at": "string",
"id": "string",
"name": "string",
"policy_id": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Create an enrollment API key
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
Body
-
expiration string
-
name string
POST
/api/fleet/enrollment_api_keys
curl \
--request POST https://localhost:5601/api/fleet/enrollment_api_keys \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"expiration":"string","name":"string","policy_id":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"expiration": "string",
"name": "string",
"policy_id": "string"
}
Response examples (200)
{
"action": "created",
"item": {
"active": true,
"api_key": "string",
"api_key_id": "string",
"created_at": "string",
"id": "string",
"name": "string",
"policy_id": "string"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Initiate Fleet setup
[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].
POST
/api/fleet/setup
curl \
--request POST https://localhost:5601/api/fleet/setup \
--header "kbn-xsrf: true"
Response examples (200)
{
"isInitialized": true,
"nonFatalErrors": [
{
"message": "string",
"name": "string"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Response examples (500)
{
"message": "string"
}Get output
Get output by ID.
[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].
GET
/api/fleet/outputs/{outputId}
curl \
--request GET https://localhost:5601/api/fleet/outputs/{outputId}
Response examples (200)
{
"item": {
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": false,
"is_default_monitoring": false,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "elasticsearch"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Update a package policy
Update a package policy by ID.
Query parameters
-
format string
Values are
simplifiedorlegacy.
Body object
-
description string
Package policy description
-
enabled boolean
-
force boolean
-
inputs array[object]
-
is_managed boolean
-
name string
-
namespace string
The package policy namespace. Leave blank to inherit the agent policy's namespace.
-
output_id string | null
-
overrides object | null
Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
Additional properties are NOT allowed.
-
package object
Additional properties are NOT allowed.
-
Agent policy ID where that package policy will be added
-
policy_ids array[string]
Agent policy IDs where that package policy will be added
-
supports_agentless boolean | null
Indicates whether the package policy belongs to an agentless agent policy.
Default value is
false. -
vars object
Package variable (see integration documentation for more information)
-
version string
PUT
/api/fleet/package_policies/{packagePolicyId}
curl \
--request PUT https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"description":"string","enabled":true,"force":true,"inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"version":"string"}'
Request examples
Object-1
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"enabled": true,
"force": true,
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"supports_agentless": false,
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"force": true,
"id": "string",
"inputs": {
"additionalProperty1": {
"enabled": true,
"streams": {
"additionalProperty1": {
"enabled": true,
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"vars": {}
}
},
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"streams": {
"additionalProperty1": {
"enabled": true,
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"vars": {}
}
},
"vars": {}
}
},
"name": "string",
"namespace": "string",
"output_id": "string",
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"supports_agentless": false,
"vars": {}
}
Response examples (200)
{
"item": {
"agents": 42.0,
"created_at": "string",
"created_by": "string",
"description": "string",
"elasticsearch": {
"privileges": {
"cluster": [
"string"
]
}
},
"enabled": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"revision": 42.0,
"secret_references": [
{
"id": "string"
}
],
"spaceIds": [
"string"
],
"supports_agentless": false,
"updated_at": "string",
"updated_by": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Response examples (403)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Delete a proxy
Delete a proxy by ID
[Required authorization] Route required privileges: ALL of [fleet-settings-all].
DELETE
/api/fleet/proxies/{itemId}
curl \
--request DELETE https://localhost:5601/api/fleet/proxies/{itemId} \
--header "kbn-xsrf: true"
Response examples (200)
{
"id": "string"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Get metadata for latest uninstall tokens
List the metadata for the latest uninstall tokens per agent policy.
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
GET
/api/fleet/uninstall_tokens
curl \
--request GET https://localhost:5601/api/fleet/uninstall_tokens
Response examples (200)
{
"items": [
{
"created_at": "string",
"id": "string",
"namespaces": [
"string"
],
"policy_id": "string",
"policy_name": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Saved objects
Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs.
To manage a specific type of saved object, use the corresponding APIs. For example, use:
Warning: Do not write documents directly to the .kibana index. When you write directly to the .kibana index, the data becomes corrupted and permanently breaks future Kibana versions.
Rotate a key for encrypted saved objects
Superuser role required.
If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Query parameters
-
batch_size number
Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value.
Default value is
10000. -
type string
Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes.
POST
/api/encrypted_saved_objects/_rotate_key
curl \
--request POST https://localhost:5601/api/encrypted_saved_objects/_rotate_key
Response examples (200)
{
"total": 1000,
"failed": 0,
"successful": 300
}
Response examples (400)
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Response examples (429)
{}Update saved objects Deprecated
Update the attributes for multiple Kibana saved objects.
POST
/api/saved_objects/_bulk_update
curl \
--request POST https://localhost:5601/api/saved_objects/_bulk_update \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
Request examples
# Headers
kbn-xsrf: string
# Payload
[
{}
]
Response examples (200)
{}
Response examples (400)
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}Get anonymization fields
Get a list of all anonymization fields.
Query parameters
-
fields array[string]
-
filter string
Search query
-
sort_field string
Field to sort by
Values are
created_at,anonymized,allowed,field, orupdated_at. -
sort_order string
Sort order
Values are
ascordesc. -
page integer
Page number
Minimum value is
1. Default value is1. -
per_page integer
AnonymizationFields per page
Minimum value is
0. Default value is20.
GET
/api/security_ai_assistant/anonymization_fields/_find
curl \
--request GET https://localhost:5601/api/security_ai_assistant/anonymization_fields/_find
Response examples (200)
{
"data": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
],
"page": 42,
"perPage": 42,
"total": 42
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Deletes a single Knowledge Base Entry using the `id` field
Deletes a single Knowledge Base Entry using the id field
Path parameters
-
The Knowledge Base Entry's
idvalueMinimum length is
1.
DELETE
/api/security_ai_assistant/knowledge_base/entries/{id}
curl \
--request DELETE https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/{id}
Response examples (200)
{
"id": "string"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Export detection rules
Export detection rules to an .ndjson file. The following configuration items are also included in the .ndjson file:
- Actions
- Exception lists
You cannot export prebuilt rules.
Query parameters
-
exclude_export_details boolean
Determines whether a summary of the exported rules is returned.
Default value is
false. -
file_name string
File name for saving the exported rules.
Default value is
export.ndjson.
POST
/api/detection_engine/rules/_export
curl \
--request POST https://localhost:5601/api/detection_engine/rules/_export \
--header "Content-Type: application/json" \
--data '{"objects":[{"rule_id":"string"}]}'
Request examples
{
"objects": [
{
"rule_id": "string"
}
]
}
Response examples (200)
@fileImport detection rules
Import detection rules from an .ndjson file, including actions and exception lists. The request must include:
- The
Content-Type: multipart/form-dataHTTP header. - A link to the
.ndjsonfile containing the rules.
Query parameters
-
overwrite boolean
Determines whether existing rules with the same
rule_idare overwritten.Default value is
false. -
overwrite_exceptions boolean
Determines whether existing exception lists with the same
list_idare overwritten.Default value is
false. -
overwrite_action_connectors boolean
Determines whether existing actions with the same
kibana.alert.rule.actions.idare overwritten.Default value is
false. -
as_new_list boolean
Generates a new list ID for each imported exception list.
Default value is
false.
POST
/api/detection_engine/rules/_import
curl \
--request POST https://localhost:5601/api/detection_engine/rules/_import \
--header "Content-Type: multipart/form-data" \
--form "file=@file"
Response examples (200)
{
"action_connectors_errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"action_connectors_success": true,
"action_connectors_success_count": 42,
"action_connectors_warnings": [
{
"actionPath": "string",
"buttonLabel": "string",
"message": "string",
"type": "string"
}
],
"errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"exceptions_errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"exceptions_success": true,
"exceptions_success_count": 42,
"rules_count": 42,
"success": true,
"success_count": 42
}Retrieve the status of prebuilt detection rules and Timelines
Retrieve the status of all Elastic prebuilt detection rules and Timelines.
GET
/api/detection_engine/rules/prepackaged/_status
curl \
--request GET https://localhost:5601/api/detection_engine/rules/prepackaged/_status
Response examples (200)
{
"rules_custom_installed": 42,
"rules_installed": 42,
"rules_not_installed": 42,
"rules_not_updated": 42,
"timelines_installed": 42,
"timelines_not_installed": 42,
"timelines_not_updated": 42
}