List all detection rule tags

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

rule_id string Required

The identifier for the rule.
alert_id string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body

cases array[object] Required

An array containing one or more case objects.

At least 1 but not more than 100 elements.
Hide cases attributes Show cases attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
- connector object
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required
  
  The type of connector.
  
  Value is .swimlane.
- customFields array[object]
  
  Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
  
  At least 0 but not more than 10 elements.
  Hide customFields attributes Show customFields attributes object
  
  key string Required
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string Required
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean Required
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string
  
  The description for the case.
  
  Maximum length is 30000.
- id string Required
  
  The identifier for the case.
  
  Maximum length is 30000.
- settings object
  
  An object that contains the case settings.
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
- title string
  
  A title for the case.
  
  Maximum length is 160.
- version string Required
  
  The current version of the case. To determine this value, use the get case or find cases APIs.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

PATCH /api/cases

curl \
 --request PATCH 'https://localhost:5601/api/cases' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"cases":[{"id":"a18b38a0-71b0-11ea-a0b2-c51ea50a58e2","tags":["tag-1"],"version":"WzIzLDFd","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":null,"issueType":"10006"}},"description":"A case description.","customFields":[{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":false},{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My new field value"}]}]}'

Request example

{
  "cases": [
    {
      "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "version": "WzIzLDFd",
      "settings": {
        "syncAlerts": true
      },
      "connector": {
        "id": "131d4448-abe0-4789-939d-8ef60680b498",
        "name": "My connector",
        "type": ".jira",
        "fields": {
          "parent": null,
          "priority": null,
          "issueType": "10006"
        }
      },
      "description": "A case description.",
      "customFields": [
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": false
        },
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My new field value"
        }
      ]
    }
  ]
}

Response examples (200)

[
  {
    "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
    "tags": [
      "tag-1"
    ],
    "owner": "cases",
    "title": "Case title 1",
    "status": "open",
    "version": "WzU0OCwxXQ==",
    "category": null,
    "comments": [],
    "duration": null,
    "settings": {
      "syncAlerts": true
    },
    "severity": "low",
    "assignees": [],
    "closed_at": null,
    "closed_by": null,
    "connector": {
      "id": "131d4448-abe0-4789-939d-8ef60680b498",
      "name": "My connector",
      "type": ".jira",
      "fields": {
        "parent": null,
        "priority": null,
        "issueType": "10006"
      }
    },
    "created_at": "2023-10-13T09:16:17.416Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null,
      "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    },
    "updated_at": "2023-10-13T09:48:33.043Z",
    "updated_by": {
      "email": null,
      "username": "elastic",
      "full_name": null,
      "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    },
    "description": "A case description.",
    "totalAlerts": 0,
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "value": "My new field value"
      },
      {
        "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
        "type": "toggle",
        "value": false
      }
    ],
    "totalComment": 0,
    "external_service": {
      "pushed_at": "2023-10-13T09:20:40.672Z",
      "pushed_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      },
      "external_id": "10003",
      "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
      "external_url": "https://hms.atlassian.net/browse/IS-4",
      "connector_name": "Jira",
      "external_title": "IS-4"
    }
  }
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get all alerts for a case Technical preview

GET /api/cases/{caseId}/alerts

Api key auth Basic auth

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- attached_at string(date-time)
- id string
  
  The alert identifier.
- index string
  
  The alert index.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/alerts

curl \
 --request GET 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/alerts' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "f6a7d0c3-d52d-432c-b2e6-447cd7fce04d",
    "index": ".alerts-observability.logs.alerts-default",
    "attached_at": "2022-07-25T20:09:40.963Z"
  }
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Create or update a runtime field

PUT /api/data_views/data_view/{viewId}/runtime_field

Api key auth Basic auth

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

viewId string Required

The ID of the data view fields you want to update.

application/json

Body Required

name string Required

The name for a runtime field.
runtimeField object Required

The runtime field definition object.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- data_view object
- fields array[object]
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

PUT /api/data_views/data_view/{viewId}/runtime_field

curl \
 --request PUT 'https://localhost:5601/api/data_views/data_view/{viewId}/runtime_field' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'

Request example

{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}

Response examples (200)

{
  "data_view": {},
  "fields": [
    {}
  ]
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Install prebuilt detection rules and Timelines

PUT /api/detection_engine/rules/prepackaged

Api key auth Basic auth

Install and update all Elastic prebuilt detection rules and Timelines.

This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. When you call this endpoint, it will:

Install any new prebuilt detection rules that are not currently installed in your system.
Update any existing prebuilt detection rules that have been modified or improved by Elastic.
Install any new prebuilt Timelines that are not currently installed in your system.
Update any existing prebuilt Timelines that have been modified or improved by Elastic.

This ensures that your detection engine is always up-to-date with the latest rules and Timelines, providing you with the most current and effective threat detection capabilities.

Responses

200 application/json

Indicates a successful call
Hide response attributes Show response attributes object
- rules_installed integer Required
  
  The number of rules installed
  
  Minimum value is 0.
- rules_updated integer Required
  
  The number of rules updated
  
  Minimum value is 0.
- timelines_installed integer Required
  
  The number of timelines installed
  
  Minimum value is 0.
- timelines_updated integer Required
  
  The number of timelines updated
  
  Minimum value is 0.

PUT /api/detection_engine/rules/prepackaged

curl \
 --request PUT 'https://localhost:5601/api/detection_engine/rules/prepackaged' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "rules_updated": 0,
  "rules_installed": 112,
  "timelines_updated": 2,
  "timelines_installed": 5
}

Clean up detection alert migrations Deprecated

DELETE /api/detection_engine/signals/migration

Api key auth Basic auth

Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted.

While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation.

application/json

Body Required

Array of migration_ids to cleanup

migration_ids array[string] Required

Array of migration_ids to cleanup.

At least 1 element.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- destinationIndex string Required
- error object
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code integer Required
- id string Required
- sourceIndex string Required
- status string Required
  
  Values are success, failure, or pending.
- updated string(date-time) Required
- version string Required
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/detection_engine/signals/migration

curl \
 --request DELETE 'https://localhost:5601/api/detection_engine/signals/migration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'

Request example

{
  "migration_ids": [
    "924f7c50-505f-11eb-ae0a-3fa2e626a51d"
  ]
}

Response examples (200)

{
  "migrations": [
    {
      "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "status": "success",
      "updated": "2021-01-06T22:05:56.859Z",
      "version": 16,
      "sourceIndex": ".siem-signals-default-000002",
      "destinationIndex": ".siem-signals-default-000002-r000016"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

GET /api/detection_engine/tags

Api key auth Basic auth

List all unique tags from all detection rules.

Responses

200 application/json

Indicates a successful call

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

GET /api/detection_engine/tags

curl \
 --request GET 'https://localhost:5601/api/detection_engine/tags' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  "zeek",
  "suricata",
  "windows",
  "linux",
  "network",
  "initial access",
  "remote access",
  "phishing"
]

Start an Entity Engine

POST /api/entity_store/engines/{entityType}/start

Api key auth Basic auth

Path parameters

entityType string Required

The entity type of the engine

Values are user, host, service, or generic.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- started boolean

POST /api/entity_store/engines/{entityType}/start

curl \
 --request POST 'https://localhost:5601/api/entity_store/engines/{entityType}/start' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "started": true
}

Apply DataView indices to all installed engines

POST /api/entity_store/engines/apply_dataview_indices

Api key auth Basic auth

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- result array[object]
  
  Hide result attributes Show result attributes object
  
  changes object
  
  Hide changes attribute Show changes attribute object
  
  indexPatterns array[string]
  
  type string Required
- success boolean
207 application/json

Partial successful response
Hide response attributes Show response attributes object
- errors array[string]
- result array[object]
  
  Hide result attributes Show result attributes object
  
  changes object
  
  Hide changes attribute Show changes attribute object
  
  indexPatterns array[string]
  
  type string Required
- success boolean
500 application/json

Error response
Hide response attributes Show response attributes object
- body string
- statusCode number

POST /api/entity_store/engines/apply_dataview_indices

curl \
 --request POST 'https://localhost:5601/api/entity_store/engines/apply_dataview_indices' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "result": [
    {
      "changes": {
        "indexPatterns": [
          "string"
        ]
      },
      "type": "string"
    }
  ],
  "success": true
}

Response examples (207)

{
  "errors": [
    "string"
  ],
  "result": [
    {
      "changes": {
        "indexPatterns": [
          "string"
        ]
      },
      "type": "string"
    }
  ],
  "success": true
}

Response examples (500)

{
  "body": "string",
  "statusCode": 42.0
}

Update an SLO

PUT /s/{spaceId}/api/observability/slos/{sloId}

Api key auth Basic auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

spaceId string Required

An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.
sloId string Required

An identifier for the slo.

application/json

Body Required

budgetingMethod string

The budgeting method to use when computing the rollup data.

Values are occurrences or timeslices.
description string

A description for the SLO.
groupBy string | array[string]

optional group by field or fields to use to generate an SLO per distinct value

One of:
string-1 string array-2 array[string]
indicator object
One of:
SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object
Defines properties for a custom query indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

dataViewId string

The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.

filter string | object

Defines properties for a filter

One of:
string-1 string object-2 object

the KQL query to filter the documents with.

Hide attributes Show attributes

filters array[object]

Defines properties for a filter

Hide filters attributes Show filters attributes object

meta object

Defines properties for a filter

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

kqlQuery string

good string | object Required

The KQL query used to define the good events.

One of:
string-1 string object-2 object

the KQL query to filter the documents with.

Hide attributes Show attributes

filters array[object]

Defines properties for a filter

Hide filters attributes Show filters attributes object

meta object

Defines properties for a filter

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

kqlQuery string

index string Required

The index or index pattern to use

timestampField string Required

The timestamp field used in the source indice.

total string | object Required

The KQL query used to define all events.

One of:
string-1 string object-2 object

the KQL query to filter the documents with.

Hide attributes Show attributes

filters array[object]

Defines properties for a filter

Hide filters attributes Show filters attributes object

meta object

Defines properties for a filter

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

kqlQuery string

type string Required

The type of indicator.
Defines properties for the APM availability indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

environment string Required

The APM service environment or "*"

filter string

KQL query used for filtering the data

index string Required

The index used by APM metrics

service string Required

The APM service name

transactionName string Required

The APM transaction name or "*"

transactionType string Required

The APM transaction type or "*"

type string Required

The type of indicator.
Defines properties for the APM latency indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

environment string Required

The APM service environment or "*"

filter string

KQL query used for filtering the data

index string Required

The index used by APM metrics

service string Required

The APM service name

threshold number Required

The latency threshold in milliseconds

transactionName string Required

The APM transaction name or "*"

transactionType string Required

The APM transaction type or "*"

type string Required

The type of indicator.
Defines properties for a custom metric indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

dataViewId string

The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.

filter string

the KQL query to filter the documents with.

good object Required

An object defining the "good" metrics and equation

Hide good attributes Show good attributes object

equation string Required

The equation to calculate the "good" metric.

metrics array[object] Required

List of metrics with their name, aggregation type, and field.

One of:
object-1 object object-2 object

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Value is sum.

field string Required

The field of the metric.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Value is doc_count.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

index string Required

The index or index pattern to use

timestampField string Required

The timestamp field used in the source indice.

total object Required

An object defining the "total" metrics and equation

Hide total attributes Show total attributes object

equation string Required

The equation to calculate the "total" metric.

metrics array[object] Required

List of metrics with their name, aggregation type, and field.

One of:
object-1 object object-2 object

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Value is sum.

field string Required

The field of the metric.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Value is doc_count.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

type string Required

The type of indicator.
Defines properties for a histogram indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

dataViewId string

The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.

filter string

the KQL query to filter the documents with.

good object Required

An object defining the "good" events

Hide good attributes Show good attributes object

aggregation string Required

The type of aggregation to use.

Values are value_count or range.

field string Required

The field use to aggregate the good events.

filter string

The filter for good events.

from number

The starting value of the range. Only required for "range" aggregations.

to number

The ending value of the range. Only required for "range" aggregations.

index string Required

The index or index pattern to use

timestampField string Required

The timestamp field used in the source indice.

total object Required

An object defining the "total" events

Hide total attributes Show total attributes object

aggregation string Required

The type of aggregation to use.

Values are value_count or range.

field string Required

The field use to aggregate the good events.

filter string

The filter for total events.

from number

The starting value of the range. Only required for "range" aggregations.

to number

The ending value of the range. Only required for "range" aggregations.

type string Required

The type of indicator.
Defines properties for a timeslice metric indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

dataViewId string

The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.

filter string

the KQL query to filter the documents with.

index string Required

The index or index pattern to use

metric object Required

An object defining the metrics, equation, and threshold to determine if it's a good slice or not

Hide metric attributes Show metric attributes object

comparator string Required

The comparator to use to compare the equation to the threshold.

Values are GT, GTE, LT, or LTE.

equation string Required

The equation to calculate the metric.

metrics array[object] Required

List of metrics with their name, aggregation type, and field.

Any of:
SLOs_timeslice_metric_basic_metric_with_field object SLOs_timeslice_metric_percentile_metric object SLOs_timeslice_metric_doc_count_metric object

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Values are sum, avg, min, max, std_deviation, last_value, or cardinality.

field string Required

The field of the metric.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric. Only valid option is "percentile"

Value is percentile.

field string Required

The field of the metric.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

percentile number Required

The percentile value.

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric. Only valid option is "doc_count"

Value is doc_count.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

threshold number Required

The threshold used to determine if the metric is a good slice or not.

timestampField string Required

The timestamp field used in the source indice.

type string Required

The type of indicator.
name string

A name for the SLO.
objective object

Defines properties for the SLO objective
Hide objective attributes Show objective attributes object
- target number Required
  
  the target objective between 0 and 1 excluded
  
  Minimum value is 0, maximum value is 100.
- timesliceTarget number
  
  the target objective for each slice when using a timeslices budgeting method
  
  Minimum value is 0, maximum value is 100.
- timesliceWindow string
  
  the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}
settings object

Defines properties for SLO settings.
Hide settings attributes Show settings attributes object
- frequency string
  
  The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
  
  Default value is 1m.
- preventInitialBackfill boolean
  
  Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
  
  Default value is false.
- syncDelay string
  
  The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
  
  Default value is 1m.
- syncField string
  
  The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
tags array[string]

List of tags
timeWindow object

Defines properties for the SLO time window
Hide timeWindow attributes Show timeWindow attributes object
- duration string Required
  
  the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)
- type string Required
  
  Indicates weither the time window is a rolling or a calendar aligned time window.
  
  Values are rolling or calendarAligned.

Responses

200 application/json

Successful request
Hide response attributes Show response attributes object
- budgetingMethod string Required
  
  The budgeting method to use when computing the rollup data.
  
  Values are occurrences or timeslices.
- createdAt string Required
  
  The creation date
- description string Required
  
  The description of the SLO.
- enabled boolean Required
  
  Indicate if the SLO is enabled
- groupBy string | array[string] Required
  
  optional group by field or fields to use to generate an SLO per distinct value
  
  One of:
  string-1 string array-2 array[string]
- id string Required
  
  The identifier of the SLO.
- indicator object Required
  
  One of:
  SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object
  
  Defines properties for a custom query indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string | object
  
  Defines properties for a filter
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  good string | object Required
  
  The KQL query used to define the good events.
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total string | object Required
  
  The KQL query used to define all events.
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.kql.custom.
  
  Defines properties for the APM availability indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  environment string Required
  
  The APM service environment or "*"
  
  filter string
  
  KQL query used for filtering the data
  
  index string Required
  
  The index used by APM metrics
  
  service string Required
  
  The APM service name
  
  transactionName string Required
  
  The APM transaction name or "*"
  
  transactionType string Required
  
  The APM transaction type or "*"
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.apm.transactionErrorRate.
  
  Defines properties for the APM latency indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  environment string Required
  
  The APM service environment or "*"
  
  filter string
  
  KQL query used for filtering the data
  
  index string Required
  
  The index used by APM metrics
  
  service string Required
  
  The APM service name
  
  threshold number Required
  
  The latency threshold in milliseconds
  
  transactionName string Required
  
  The APM transaction name or "*"
  
  transactionType string Required
  
  The APM transaction type or "*"
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.apm.transactionDuration.
  
  Defines properties for a custom metric indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  good object Required
  
  An object defining the "good" metrics and equation
  
  Hide good attributes Show good attributes object
  
  equation string Required
  
  The equation to calculate the "good" metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  One of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Value is sum.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Value is doc_count.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total object Required
  
  An object defining the "total" metrics and equation
  
  Hide total attributes Show total attributes object
  
  equation string Required
  
  The equation to calculate the "total" metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  One of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Value is sum.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Value is doc_count.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.metric.custom.
  
  Defines properties for a histogram indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  good object Required
  
  An object defining the "good" events
  
  Hide good attributes Show good attributes object
  
  aggregation string Required
  
  The type of aggregation to use.
  
  Values are value_count or range.
  
  field string Required
  
  The field use to aggregate the good events.
  
  filter string
  
  The filter for good events.
  
  from number
  
  The starting value of the range. Only required for "range" aggregations.
  
  to number
  
  The ending value of the range. Only required for "range" aggregations.
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total object Required
  
  An object defining the "total" events
  
  Hide total attributes Show total attributes object
  
  aggregation string Required
  
  The type of aggregation to use.
  
  Values are value_count or range.
  
  field string Required
  
  The field use to aggregate the good events.
  
  filter string
  
  The filter for total events.
  
  from number
  
  The starting value of the range. Only required for "range" aggregations.
  
  to number
  
  The ending value of the range. Only required for "range" aggregations.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.histogram.custom.
  
  Defines properties for a timeslice metric indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  index string Required
  
  The index or index pattern to use
  
  metric object Required
  
  An object defining the metrics, equation, and threshold to determine if it's a good slice or not
  
  Hide metric attributes Show metric attributes object
  
  comparator string Required
  
  The comparator to use to compare the equation to the threshold.
  
  Values are GT, GTE, LT, or LTE.
  
  equation string Required
  
  The equation to calculate the metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  Any of:
  SLOs_timeslice_metric_basic_metric_with_field object SLOs_timeslice_metric_percentile_metric object SLOs_timeslice_metric_doc_count_metric object
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Values are sum, avg, min, max, std_deviation, last_value, or cardinality.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric. Only valid option is "percentile"
  
  Value is percentile.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  percentile number Required
  
  The percentile value.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric. Only valid option is "doc_count"
  
  Value is doc_count.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  threshold number Required
  
  The threshold used to determine if the metric is a good slice or not.
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.metric.timeslice.
- name string Required
  
  The name of the SLO.
- objective object Required
  
  Defines properties for the SLO objective
  
  Hide objective attributes Show objective attributes object
  
  target number Required
  
  the target objective between 0 and 1 excluded
  
  Minimum value is 0, maximum value is 100.
  
  timesliceTarget number
  
  the target objective for each slice when using a timeslices budgeting method
  
  Minimum value is 0, maximum value is 100.
  
  timesliceWindow string
  
  the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}
- revision number Required
  
  The SLO revision
- settings object Required
  
  Defines properties for SLO settings.
  
  Hide settings attributes Show settings attributes object
  
  frequency string
  
  The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
  
  Default value is 1m.
  
  preventInitialBackfill boolean
  
  Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
  
  Default value is false.
  
  syncDelay string
  
  The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
  
  Default value is 1m.
  
  syncField string
  
  The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
- tags array[string] Required
  
  List of tags
- timeWindow object Required
  
  Defines properties for the SLO time window
  
  Hide timeWindow attributes Show timeWindow attributes object
  
  duration string Required
  
  the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)
  
  type string Required
  
  Indicates weither the time window is a rolling or a calendar aligned time window.
  
  Values are rolling or calendarAligned.
- updatedAt string Required
  
  The last update date
- version number Required
  
  The internal SLO version
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
403 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

PUT /s/{spaceId}/api/observability/slos/{sloId}

curl \
 --request PUT 'https://localhost:5601/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"budgetingMethod":"occurrences","description":"string","groupBy":[["service.name"],"service.name",["service.name","service.environment"]],"indicator":{"params":{"dataViewId":"03b80ab3-003d-498b-881c-3beedbaf1162","filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.latency \u003c= 150 and request.status_code : \"2xx\"","index":"my-service-*","timestampField":"timestamp","total":"field.environment : \"production\" and service.name : \"my-service\""},"type":"sli.kql.custom"},"name":"string","objective":{"target":0.99,"timesliceTarget":0.995,"timesliceWindow":"5m"},"settings":{"frequency":"5m","preventInitialBackfill":true,"syncDelay":"5m","syncField":"event.ingested"},"tags":["string"],"timeWindow":{"duration":"30d","type":"rolling"}}'

Request examples

# Headers
kbn-xsrf: string

# Payload
{
  "budgetingMethod": "occurrences",
  "description": "string",
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "name": "string",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m",
    "syncField": "event.ingested"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  }
}

Response examples (200)

{
  "budgetingMethod": "occurrences",
  "createdAt": "2023-01-12T10:03:19.000Z",
  "description": "My SLO description",
  "enabled": true,
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "id": "8853df00-ae2e-11ed-90af-09bb6422b258",
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "name": "My Service SLO",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "revision": 2,
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m",
    "syncField": "event.ingested"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  },
  "updatedAt": "2023-01-12T10:03:19.000Z",
  "version": 2
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}

Response examples (404)

{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}

Enable streams Technical Preview

POST /api/streams/_enable

Api key auth Basic auth

Enables wired streams

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

object

Additional properties are NOT allowed.

POST /api/streams/_enable

curl \
 --request POST 'https://localhost:5601/api/streams/_enable' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true"

Request examples

# Headers
kbn-xsrf: true

# Payload
{}

Add parameters

POST /api/synthetics/params

Api key auth Basic auth

Add one or more parameters to the Synthetics app. You must have all privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.

application/json

Body array[object] | object Required

The request body can contain either a single parameter object or an array of parameter objects.

Show attributes object

description string

A description of the parameter.
key string Required

The key of the parameter.
share_across_spaces boolean

Specify whether the parameter should be shared across spaces.
tags array[string]

An array of tags to categorize the parameter.
value string Required

The value associated with the parameter.

description string

A description of the parameter.
key string Required

The key of the parameter.
share_across_spaces boolean

Specify whether the parameter should be shared across spaces.
tags array[string]

An array of tags to categorize the parameter.
value string Required

The value associated with the parameter.

Responses

200 application/json

A successful response.
One of:
array-1 array[object] Synthetics_postParameterResponse object
Hide attributes Show attributes object

description string

A description of the parameter.

id string

The unique identifier for the parameter.

key string

The parameter key.

share_across_spaces boolean

Indicates whether the parameter is shared across spaces.

tags array[string]

An array of tags associated with the parameter.

value string

The value associated with the parameter.
Hide attributes Show attributes

description string

A description of the parameter.

id string

The unique identifier for the parameter.

key string

The parameter key.

share_across_spaces boolean

Indicates whether the parameter is shared across spaces.

tags array[string]

An array of tags associated with the parameter.

value string

The value associated with the parameter.

POST /api/synthetics/params

curl \
 --request POST 'https://localhost:5601/api/synthetics/params' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"key\": \"your-key-name\",\n  \"value\": \"your-parameter-value\",\n  \"description\": \"Param to use in browser monitor\",\n  \"tags\": [\"authentication\", \"security\"],\n  \"share_across_spaces\": true\n}"'

Request examples

Add a single parameter.

{
  "key": "your-key-name",
  "value": "your-parameter-value",
  "description": "Param to use in browser monitor",
  "tags": ["authentication", "security"],
  "share_across_spaces": true
}

Add multiple parameters.

[
  {
    "key": "param1",
    "value": "value1"
  },
  {
    "key": "param2",
    "value": "value2"
  }
]

Response examples (200)

A successful response for a single added parameter.

{
  "id": "unique-parameter-id",
  "key": "your-key-name",
  "value": "your-param-value",
  "description": "Param to use in browser monitor",
  "tags": ["authentication", "security"],
  "share_across_spaces": true
}

A successful response for multiple added parameters.

[
  {
    "id": "param1-id",
    "key": "param1",
    "value": "value1"
  },
  {
    "id": "param2-id",
    "key": "param2",
    "value": "value2"
  }
]

Get a parameter

GET /api/synthetics/params/{id}

Api key auth Basic auth

Get a parameter from the Synthetics app. You must have read privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.

Path parameters

id string Required

The unique identifier for the parameter.

Responses

200 application/json

A successful response.
Hide response attributes Show response attributes object
- description string
  
  The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.
- id string
  
  The unique identifier of the parameter.
- key string
  
  The key of the parameter.
- namespaces array[string]
  
  The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.
- tags array[string]
  
  An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.
- value string
  
  The value associated with the parameter. It will be included in the response if the user has write permissions.

GET /api/synthetics/params/{id}

curl \
 --request GET 'https://localhost:5601/api/synthetics/params/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response for a user with read-only permissions to get a single parameter.

{
  "id": "unique-parameter-id",
  "key": "your-api-key",
  "description": "Param to use in browser monitor",
  "tags": ["authentication", "security"],
  "namespaces": ["namespace1", "namespace2"]
}

A successful response for a user with write permissions to get a single parameter.

{
  "id": "unique-parameter-id",
  "key": "your-param-key",
  "description": "Param to use in browser monitor",
  "tags": ["authentication", "security"],
  "namespaces": ["namespace1", "namespace2"],
  "value": "your-param-value"
}

connector object

value string | null | boolean Required

connector object Required

value string | null | boolean

Get all alerts for a case Technical preview

Body Required

Clean up detection alert migrations Deprecated

Body Required

Body Required

groupBy string | array[string]

indicator object

filter string | object

good string | object Required

total string | object Required

groupBy string | array[string] Required

indicator object Required

filter string | object

good string | object Required

total string | object Required

Enable streams Technical Preview

Body array[object] | object Required