Kibana APIs
1.0.2

Base URL
https://localhost:5601

The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.

To interact with Kibana APIs, use the following operations:

  • GET: Fetches the information.
  • PATCH: Applies partial modifications to the existing information.
  • POST: Adds new information.
  • PUT: Updates the existing information.
  • DELETE: Removes the information.

You can prepend any Kibana API endpoint with kbn: and run the request in Dev Tools → Console. For example:

GET kbn:/api/data_views

For more information about the console, refer to Run API requests.

NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.

Documentation source and versions

This documentation is derived from the main branch of the kibana repository. It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.

This documentation contains work-in-progress information for future Elastic Stack releases.

This is version 1.0.2 of this API documentation. Last update on Feb 11, 2025.
































Enable a rule

POST /api/alerting/rule/{id}/_enable

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_enable
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_enable \
 --header "kbn-xsrf: true"




Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
 --header "kbn-xsrf: true"





















Create or update agent configuration

PUT /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • overwrite boolean

    If the config exists ?overwrite=true is required

application/json

Body Required

  • Agent name

  • service object Required

    Service

    Additional properties are allowed.

    Hide service attributes Show service attributes object
  • settings object Required

    Agent configuration settings

    Hide settings attribute Show settings attribute object
    • * string Additional properties

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
PUT /api/apm/settings/agent-configuration
curl \
 --request PUT https://localhost:5601/api/apm/settings/agent-configuration \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "agent_name": "string",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}




















APM agent keys

Configure APM agent keys to authorize requests from APM agents to the APM Server.















Save APM server schema

POST /api/apm/fleet/apm_server_schema

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • schema object

    Schema object

    Additional properties are allowed.

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/fleet/apm_server_schema
curl \
 --request POST https://localhost:5601/api/apm/fleet/apm_server_schema \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"schema":{"foo":"bar"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "schema": {
    "foo": "bar"
  }
}
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get source maps

GET /api/apm/sourcemaps

Returns an array of Fleet artifacts, including source map uploads.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

GET /api/apm/sourcemaps
curl \
 --request GET https://localhost:5601/api/apm/sourcemaps \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "artifacts": [
    {
      "body": {
        "bundleFilepath": "string",
        "serviceName": "string",
        "serviceVersion": "string",
        "sourceMap": {
          "file": "string",
          "mappings": "string",
          "sourceRoot": "string",
          "sources": [
            "string"
          ],
          "sourcesContent": [
            "string"
          ],
          "version": 42.0
        }
      },
      "compressionAlgorithm": "string",
      "created": "string",
      "decodedSha256": "string",
      "decodedSize": 42.0,
      "encodedSha256": "string",
      "encodedSize": 42.0,
      "encryptionAlgorithm": "string",
      "id": "string",
      "identifier": "string",
      "packageName": "string",
      "relative_url": "string",
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}




Delete source map

DELETE /api/apm/sourcemaps/{id}

Delete a previously uploaded source map.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    Source map identifier

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
  • 501 application/json

    Not Implemented response

    Hide response attributes Show response attributes object
DELETE /api/apm/sourcemaps/{id}
curl \
 --request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

















Get case information

GET /api/cases/{caseId}

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}
curl \
 --request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414
{
  "id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzM2LDFd",
  "category": null,
  "comments": [
    {
      "id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment",
      "version": "WzM3LDFd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-10-13T15:40:32.335Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [
    {
      "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    }
  ],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2023-10-13T15:40:32.335Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 1,
  "external_service": null
}
{
  "id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
  "tags": [
    "observability",
    "tag 1"
  ],
  "owner": "observability",
  "title": "Observability case title 1",
  "status": "in-progress",
  "version": "WzI0NywyXQ==",
  "category": null,
  "comments": [
    {
      "id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
      "rule": {
        "id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
        "name": "Observability rule"
      },
      "type": "alert",
      "index": [
        ".internal.alerts-observability.logs.alerts-default-000001"
      ],
      "owner": "observability",
      "alertId": [
        "a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
      ],
      "version": "WzY3LDJd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-11-06T19:29:38.424Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    },
    {
      "id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
      "type": "user",
      "owner": "observability",
      "comment": "The first comment.",
      "version": "WzcyLDJd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-11-06T19:29:57.812Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [
    {
      "uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    }
  ],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-11-06T19:29:04.086Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "updated_at": "2023-11-06T19:47:55.662Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "An Observability case description.",
  "totalAlerts": 1,
  "customFields": [],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Delete all case comments and alerts

DELETE /api/cases/{caseId}/comments

Deletes all comments and alerts from a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases/{caseId}/comments
curl \
 --request DELETE https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 --header "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
















Push a case to an external service

POST /api/cases/{caseId}/connector/{connectorId}/_push

You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • connectorId string Required

    An identifier for the connector. To retrieve connector IDs, use the find connectors API.

application/json

Body

object | null object | null

Additional properties are allowed.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/connector/{connectorId}/_push
curl \
 --request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/connector/abed3a70-71bd-11ea-a0b2-c51ea50a58e2/_push \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string"
Request examples
# Headers
kbn-xsrf: string

# Payload
{}
Response examples (200)
{
  "id": "b917f300-0ed9-11ed-bd18-65557fe66949",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzE3NjgsM10=",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "Low",
      "issueType": "10006"
    }
  },
  "created_at": "2022-07-29T00:59:39.444Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "updated_at": "2022-07-29T01:20:58.436Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "totalComment": 0,
  "external_service": {
    "pushed_at": "2022-07-29T01:20:58.436Z",
    "pushed_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "external_id": "71926",
    "connector_id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "external_url": "https://cases.jira.com",
    "connector_name": "My connector",
    "external_title": "ES-554"
  }
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}




Find case activity

GET /api/cases/{caseId}/user_actions/_find

Retrives a paginated list of user activity for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • Determines the sort order.

    Values are asc or desc. Default value is desc.

  • types array[string]

    Determines the types of user actions to return.

    Values are action, alert, assignees, attachment, comment, connector, create_case, description, pushed, settings, severity, status, tags, title, or user.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • page integer
    • perPage integer
    • total integer
    • userActions array[object]

      Not more than 10000 elements.

      Hide userActions attributes Show userActions attributes object
      • action string Required

        Values are add, create, delete, push_to_service, or update.

      • comment_id string | null Required
      • created_at string(date-time) Required
      • created_by object Required

        Additional properties are allowed.

        Hide created_by attributes Show created_by attributes object
      • id string Required
      • owner string Required

        The application that owns the cases: Stack Management, Observability, or Elastic Security.

        Values are cases, observability, or securitySolution.

      • payload object | null Required

        One of:
        Hide attribute Show attribute
      • type string Required

        The type of action.

        Values are assignees, create_case, comment, connector, description, pushed, tags, title, status, settings, or severity.

      • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/user_actions/_find
curl \
 --request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find
Response examples (200)
{
  "page": 1,
  "total": 3,
  "perPage": 20,
  "userActions": [
    {
      "id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
      "type": "create_case",
      "owner": "cases",
      "action": "create",
      "payload": {
        "tags": [
          "tag 1"
        ],
        "owner": "cases",
        "title": "Case title 1",
        "status": "open",
        "category": null,
        "settings": {
          "syncAlerts": false
        },
        "severity": "low",
        "assignees": [],
        "connector": {
          "id": "none",
          "name": "none",
          "type": ".none",
          "fields": null
        },
        "description": "A case description.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "My field value"
          },
          {
            "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
            "type": "toggle",
            "value": null
          }
        ]
      },
      "version": "WzM1ODg4LDFd",
      "comment_id": null,
      "created_at": "2023-10-20T01:17:22.150Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "57af14a0-03b1-11ed-920c-974bfa104448",
      "type": "comment",
      "owner": "cases",
      "action": "create",
      "payload": {
        "type": "user",
        "owner": "cases",
        "comment": "A new comment"
      },
      "version": "WzM1ODg4LDFa",
      "comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
      "created_at": "2023-10-14T20:12:53.354Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "573c6980-6123-11ed-aa41-81a0a61fe447",
      "type": "assignees",
      "owner": "cases",
      "action": "add",
      "payload": {
        "assignees": {
          "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
        }
      },
      "version": "WzM1ODg4LDFb",
      "comment_id": null,
      "created_at": "2023-10-20T01:10:28.238Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ]
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}


































































Update an existing dashboard Technical Preview

PUT /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

application/json

Body

  • attributes object Required

    Additional properties are NOT allowed.

    Hide attributes attributes Show attributes attributes object
    • Additional properties are NOT allowed.

      Hide controlGroupInput attributes Show controlGroupInput attributes object
      • Show apply selections button in controls.

        Default value is true.

      • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

        Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

      • controls array[object]

        An array of control panels and their state in the control group.

        Default value is [] (empty).

        Hide controls attributes Show controls attributes object
        • Additional properties are allowed.

        • grow boolean

          Expand width of the control panel to fit available space.

          Default value is false.

        • id string

          The unique ID of the control.

        • order number Required

          The order of the control panel in the control group.

        • type string Required

          The type of the control panel.

        • width string

          Minimum width of the control panel in the control group.

          Values are small, medium, or large. Default value is medium.

      • Additional properties are allowed.

      • ignoreParentSettings object Required

        Additional properties are NOT allowed.

        Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
        • Ignore global filters in controls.

          Default value is false.

        • Ignore the global query bar in controls.

          Default value is false.

        • Ignore the global time range in controls.

          Default value is false.

        • Ignore validations in controls.

          Default value is false.

      • Position of the labels for controls. For example, "oneLine", "twoLine".

        Values are oneLine or twoLine. Default value is oneLine.

    • A short description.

      Default value is empty.

    • A container for various metadata

      Default value is {} (empty). Additional properties are NOT allowed.

      Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
      • Additional properties are allowed.

        Hide searchSource attributes Show searchSource attributes object
        • filter array[object]
          Hide filter attributes Show filter attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

            Hide meta attributes Show meta attributes object
          • query object

            Additional properties are allowed.

        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
        • sort array[object]
        • type string
    • options object Required

      Additional properties are NOT allowed.

      Hide options attributes Show options attributes object
      • Hide the panel titles in the dashboard.

        Default value is false.

      • syncColors boolean

        Synchronize colors between related panels in the dashboard.

        Default value is true.

      • syncCursor boolean

        Synchronize cursor position between related panels in the dashboard.

        Default value is true.

      • Synchronize tooltips between related panels in the dashboard.

        Default value is true.

      • useMargins boolean

        Show margins between panels in the dashboard layout.

        Default value is true.

    • panels array[object]

      Default value is [] (empty).

      Hide panels attributes Show panels attributes object
      • gridData object Required

        Additional properties are NOT allowed.

        Hide gridData attributes Show gridData attributes object
        • h number

          The height of the panel in grid units

          Minimum value is 1. Default value is 15.

        • i string

          The unique identifier of the panel

        • w number

          The width of the panel in grid units

          Minimum value is 1, maximum value is 48. Default value is 24.

        • x number Required

          The x coordinate of the panel in grid units

        • y number Required

          The y coordinate of the panel in grid units

      • id string

        The saved object id for by reference panels

      • panelConfig object Required

        Additional properties are allowed.

        Hide panelConfig attributes Show panelConfig attributes object
      • The unique ID of the panel.

      • title string

        The title of the panel

      • type string Required

        The embeddable type

      • version string Deprecated

        The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

    • A container for various refresh interval settings

      Additional properties are NOT allowed.

      Hide refreshInterval attributes Show refreshInterval attributes object
      • display string Deprecated

        A human-readable string indicating the refresh frequency. No longer used.

      • pause boolean Required

        Whether the refresh interval is set to be paused while viewing the dashboard.

      • section number Deprecated

        No longer used.

      • value number Required

        A numeric value indicating refresh frequency in milliseconds.

    • timeFrom string

      An ISO string indicating when to restore time from

    • Whether to restore time upon viewing this dashboard

      Default value is false.

    • timeTo string

      An ISO string indicating when to restore time from

    • title string Required

      A human-readable title for the dashboard

    • version number Deprecated
  • references array[object]
    Hide references attributes Show references attributes object

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • Show apply selections button in controls.

            Default value is true.

          • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • Ignore global filters in controls.

              Default value is false.

            • Ignore the global query bar in controls.

              Default value is false.

            • Ignore the global time range in controls.

              Default value is false.

            • Ignore validations in controls.

              Default value is false.

          • Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • A short description.

          Default value is empty.

        • A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]
              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • version string
PUT /api/dashboards/dashboard/{id}
curl \
 --request PUT https://localhost:5601/api/dashboards/dashboard/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "attributes": {
    "controlGroupInput": {
      "autoApplySelections": true,
      "chainingSystem": "HIERARCHICAL",
      "controls": [
        {
          "controlConfig": {},
          "grow": false,
          "id": "string",
          "order": 42.0,
          "type": "string",
          "width": "medium"
        }
      ],
      "enhancements": {},
      "ignoreParentSettings": {
        "ignoreFilters": false,
        "ignoreQuery": false,
        "ignoreTimerange": false,
        "ignoreValidations": false
      },
      "labelPosition": "oneLine"
    },
    "description": "",
    "kibanaSavedObjectMeta": {
      "searchSource": {
        "filter": [
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "alias": "string",
              "controlledBy": "string",
              "disabled": true,
              "field": "string",
              "group": "string",
              "index": "string",
              "isMultiIndex": true,
              "key": "string",
              "negate": true,
              "type": "string",
              "value": "string"
            },
            "query": {}
          }
        ],
        "query": {
          "language": "string",
          "query": "string"
        },
        "sort": [
          {}
        ],
        "type": "string"
      }
    },
    "options": {
      "hidePanelTitles": false,
      "syncColors": true,
      "syncCursor": true,
      "syncTooltips": true,
      "useMargins": true
    },
    "panels": [
      {
        "gridData": {
          "h": 15,
          "i": "string",
          "w": 24,
          "x": 42.0,
          "y": 42.0
        },
        "id": "string",
        "panelConfig": {
          "description": "string",
          "enhancements": {},
          "hidePanelTitles": true,
          "savedObjectId": "string",
          "title": "string",
          "version": "string"
        },
        "panelIndex": "string",
        "panelRefName": "string",
        "title": "string",
        "type": "string",
        "version": "string"
      }
    ],
    "refreshInterval": {
      "display": "string",
      "pause": true,
      "section": 42.0,
      "value": 42.0
    },
    "timeFrom": "string",
    "timeRestore": false,
    "timeTo": "string",
    "title": "string",
    "version": 42.0
  },
  "references": [
    {
      "id": "string",
      "name": "string",
      "type": "string"
    }
  ]
}
Response examples (200)
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  }
}









Get data streams

GET /api/fleet/data_streams

[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].

Responses

GET /api/fleet/data_streams
curl \
 --request GET https://localhost:5601/api/fleet/data_streams
Response examples (200)
{
  "data_streams": [
    {
      "dashboards": [
        {
          "id": "string",
          "title": "string"
        }
      ],
      "dataset": "string",
      "index": "string",
      "last_activity_ms": 42.0,
      "namespace": "string",
      "package": "string",
      "package_version": "string",
      "serviceDetails": {
        "environment": "string",
        "serviceName": "string"
      },
      "size_in_bytes": 42.0,
      "size_in_bytes_formatted": 42.0,
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}









Create a data view

POST /api/data_views/data_view

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • data_view object Required

    The data view object.

    Additional properties are allowed.

    Hide data_view attributes Show data_view attributes object
    • Allows the data view saved object to exist before the data is available.

    • Hide fieldAttrs attribute Show fieldAttrs attribute object
      • * object Additional properties

        A map of field attributes by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
    • A map of field formats by field name.

      Additional properties are allowed.

    • fields object

      Additional properties are allowed.

    • id string
    • name string

      The data view name.

    • namespaces array[string]

      An array of space identifiers for sharing the data view between multiple spaces.

      Default value is default.

    • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
        • script object Required

          Additional properties are allowed.

          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • The timestamp field name, which you use for time-based data views.

    • title string Required

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Additional properties are allowed.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

        Additional properties are allowed.

      • params object Required

        Properties for retrieving rollup fields.

        Additional properties are allowed.

    • version string
  • override boolean

    Override an existing data view if a data view with the provided title already exists.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • Additional properties are allowed.

      Hide data_view attributes Show data_view attributes object
      • Allows the data view saved object to exist before the data is available.

      • Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
      • A map of field formats by field name.

        Additional properties are allowed.

      • fields object

        Additional properties are allowed.

      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • script object Required

            Additional properties are allowed.

            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Additional properties are allowed.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

          Additional properties are allowed.

        • params object

          Properties for retrieving rollup fields.

          Additional properties are allowed.

      • version string
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view
curl \
 --request POST https://localhost:5601/api/data_views/data_view \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"My Logstash data view","title":"logstash-*","runtimeFieldMap":{"runtime_shape_name":{"type":"keyword","script":{"source":"emit(doc['shape_name'].value)"}}}}}'
Request example
{
  "data_view": {
    "name": "My Logstash data view",
    "title": "logstash-*",
    "runtimeFieldMap": {
      "runtime_shape_name": {
        "type": "keyword",
        "script": {
          "source": "emit(doc['shape_name'].value)"
        }
      }
    }
  }
}
Response examples (200)
{
  "data_view": {
    "allowNoIndex": true,
    "fieldAttrs": {
      "additionalProperty1": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      },
      "additionalProperty2": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      }
    },
    "fieldFormats": {},
    "fields": {},
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "string",
    "namespaces": [
      "default"
    ],
    "runtimeFieldMap": {
      "additionalProperty1": {
        "script": {
          "source": "string"
        },
        "type": "string"
      },
      "additionalProperty2": {
        "script": {
          "source": "string"
        },
        "type": "string"
      }
    },
    "sourceFilters": [
      {
        "value": "string"
      }
    ],
    "timeFieldName": "string",
    "title": "string",
    "typeMeta": {
      "aggs": {},
      "params": {}
    },
    "version": "WzQ2LDJd"
  }
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}




























Update a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • runtimeField object Required

    The runtime field definition object.

    You can update following fields:

    • type
    • script

    Additional properties are allowed.

Responses

  • Indicates a successful call.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
 --request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day \
 --header "Content-Type: application/json" \
 --data '{"runtimeField":{"script":{"source":"emit(doc[\"bar\"].value)"}}}'
Request example
{
  "runtimeField": {
    "script": {
      "source": "emit(doc[\"bar\"].value)"
    }
  }
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}




Get the default data view

GET /api/data_views/default

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views/default
curl \
 --request GET https://localhost:5601/api/data_views/default
Response examples (200)
{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}








































Bulk reassign agents

POST /api/fleet/agents/bulk_reassign

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/agents/bulk_reassign
curl \
 --request POST https://localhost:5601/api/fleet/agents/bulk_reassign \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "includeInactive": false,
  "policy_id": "string"
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

















Get agent binary download sources

GET /api/fleet/agent_download_sources

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • host string(uri) Required
      • id string Required
      • is_default boolean

        Default value is false.

      • name string Required
      • proxy_id string | null

        The ID of the proxy to use for this download source. See the proxies API for more information.

    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agent_download_sources
curl \
 --request GET https://localhost:5601/api/fleet/agent_download_sources
Response examples (200)
{
  "items": [
    {
      "host": "https://example.com",
      "id": "string",
      "is_default": false,
      "name": "string",
      "proxy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





















































Delete an agent policy

POST /api/fleet/agent_policies/delete

Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_policies/delete
curl \
 --request POST https://localhost:5601/api/fleet/agent_policies/delete \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agentPolicyId":"string","force":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agentPolicyId": "string",
  "force": true
}
Response examples (200)
{
  "id": "string",
  "name": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}







































































Bulk get assets

POST /api/fleet/epm/bulk_assets

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • assetIds array[object] Required
    Hide assetIds attributes Show assetIds attributes object

Responses

POST /api/fleet/epm/bulk_assets
curl \
 --request POST https://localhost:5601/api/fleet/epm/bulk_assets \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"assetIds":[{"id":"string","type":"string"}]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "assetIds": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}
Response examples (200)
{
  "items": [
    {
      "appLink": "string",
      "attributes": {
        "description": "string",
        "service": "string",
        "title": "string"
      },
      "id": "string",
      "type": "string",
      "updatedAt": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
















































Get installed packages

GET /api/fleet/epm/packages/installed

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Query parameters

Responses

GET /api/fleet/epm/packages/installed
curl \
 --request GET https://localhost:5601/api/fleet/epm/packages/installed
Response examples (200)
{
  "items": [
    {
      "dataStreams": [
        {
          "name": "string",
          "title": "string"
        }
      ],
      "description": "string",
      "icons": [
        {
          "dark_mode": true,
          "path": "string",
          "size": "string",
          "src": "string",
          "title": "string",
          "type": "string"
        }
      ],
      "name": "string",
      "status": "string",
      "title": "string",
      "version": "string"
    }
  ],
  "searchAfter": [
    "string"
  ],
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}







































































Delete output

DELETE /api/fleet/outputs/{outputId}

Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

DELETE /api/fleet/outputs/{outputId}
curl \
 --request DELETE https://localhost:5601/api/fleet/outputs/{outputId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get the latest output health

GET /api/fleet/outputs/{outputId}/health

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • message string Required

      long message if unhealthy

    • state string Required

      state of output, HEALTHY or DEGRADED

    • timestamp string Required

      timestamp of reported state

  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/outputs/{outputId}/health
curl \
 --request GET https://localhost:5601/api/fleet/outputs/{outputId}/health
Response examples (200)
{
  "message": "string",
  "state": "string",
  "timestamp": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get package policies

GET /api/fleet/package_policies

Query parameters

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/package_policies
curl \
 --request GET https://localhost:5601/api/fleet/package_policies
Response examples (200)
{
  "items": [
    {
      "agents": 42.0,
      "created_at": "string",
      "created_by": "string",
      "description": "string",
      "elasticsearch": {
        "privileges": {
          "cluster": [
            "string"
          ]
        }
      },
      "enabled": true,
      "id": "string",
      "inputs": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "policy_template": "string",
          "streams": [
            {
              "config": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              },
              "data_stream": {
                "dataset": "string",
                "elasticsearch": {
                  "dynamic_dataset": true,
                  "dynamic_namespace": true,
                  "privileges": {
                    "indices": [
                      "string"
                    ]
                  }
                },
                "type": "string"
              },
              "enabled": true,
              "id": "string",
              "keep_enabled": true,
              "release": "ga",
              "vars": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              }
            }
          ],
          "type": "string",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "is_managed": true,
      "name": "string",
      "namespace": "string",
      "output_id": "string",
      "overrides": {
        "inputs": {}
      },
      "package": {
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "name": "string",
        "requires_root": true,
        "title": "string",
        "version": "string"
      },
      "policy_id": "string",
      "policy_ids": [
        "string"
      ],
      "revision": 42.0,
      "secret_references": [
        {
          "id": "string"
        }
      ],
      "spaceIds": [
        "string"
      ],
      "supports_agentless": false,
      "updated_at": "string",
      "updated_by": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "version": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a package policy

POST /api/fleet/package_policies

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body object

You should use inputs as an object and not use the deprecated inputs array.

Any of:
  • Package policy description

  • enabled boolean
  • force boolean

    Force package policy creation even if package is not verified, or if the agent policy is managed.

  • id string

    Package policy unique identifier

  • inputs array[object] Required
    Hide inputs attributes Show inputs attributes object
    • config object

      Package variable (see integration documentation for more information)

      Hide config attribute Show config attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
    • enabled boolean Required
    • id string
    • streams array[object]
      Hide streams attributes Show streams attributes object
      • config object

        Package variable (see integration documentation for more information)

        Hide config attribute Show config attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • data_stream object Required

        Additional properties are NOT allowed.

        Hide data_stream attributes Show data_stream attributes object
      • enabled boolean Required
      • id string
      • release string

        Values are ga, beta, or experimental.

      • vars object

        Package variable (see integration documentation for more information)

        Hide vars attribute Show vars attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
    • type string Required
    • vars object

      Package variable (see integration documentation for more information)

      Hide vars attribute Show vars attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
  • is_managed boolean
  • name string Required

    Package policy name (should be unique)

  • The package policy namespace. Leave blank to inherit the agent policy's namespace.

  • output_id string | null
  • overrides object | null

    Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

    Additional properties are NOT allowed.

    Hide overrides attribute Show overrides attribute object | null
    • inputs object

      Additional properties are allowed.

  • package object

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
  • policy_id string | null Deprecated

    Agent policy ID where that package policy will be added

  • policy_ids array[string]

    Agent policy IDs where that package policy will be added

  • supports_agentless boolean | null

    Indicates whether the package policy belongs to an agentless agent policy.

    Default value is false.

  • vars object

    Package variable (see integration documentation for more information)

    Hide vars attribute Show vars attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 409 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/package_policies
curl \
 --request POST https://localhost:5601/api/fleet/package_policies \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","enabled":true,"force":true,"id":"string","inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "enabled": true,
  "force": true,
  "id": "string",
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  }
}
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (409)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





























Get proxies

GET /api/fleet/proxies

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Responses

GET /api/fleet/proxies
curl \
 --request GET https://localhost:5601/api/fleet/proxies
Response examples (200)
{
  "items": [
    {
      "certificate": "string",
      "certificate_authorities": "string",
      "certificate_key": "string",
      "id": "string",
      "is_preconfigured": false,
      "name": "string",
      "proxy_headers": {},
      "url": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Delete a proxy

DELETE /api/fleet/proxies/{itemId}

Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/proxies/{itemId}
curl \
 --request DELETE https://localhost:5601/api/fleet/proxies/{itemId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}


























































Delete a role

DELETE /api/security/role/{name}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • name string Required

    Minimum length is 1.

Responses

  • Indicates a successful call.

DELETE /api/security/role/{name}
curl \
 --request DELETE https://localhost:5601/api/security/role/{name} \
 --header "kbn-xsrf: true"














































































































Applies a bulk action to multiple Knowledge Base Entries

POST /api/security_ai_assistant/knowledge_base/entries/_bulk_action

The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs

application/json

Body

  • create array[object]
    Any of:
    Hide attributes Show attributes
    • name string Required

      Name of the Knowledge Base Entry

    • Kibana Space, defaults to 'default' space

    • users array[object]

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Hide users attributes Show users attributes object
    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Additional properties are allowed.

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties
  • delete object

    Additional properties are allowed.

    Hide delete attributes Show delete attributes object
    • ids array[string]

      Array of Knowledge base Entry IDs

      At least 1 element.

    • query string

      Query to filter Knowledge Base Entries

  • update array[object]
    Any of:
    Hide attributes Show attributes
    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • name string Required

      Name of the Knowledge Base Entry

    • Kibana Space, defaults to 'default' space

    • users array[object]

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Hide users attributes Show users attributes object
    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Additional properties are allowed.

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties

Responses

  • 200 application/json

    Successful bulk operation request

    Hide response attributes Show response attributes object
    • attributes object Required

      Additional properties are allowed.

      Hide attributes attributes Show attributes attributes object
      • errors array[object]
        Hide errors attributes Show errors attributes object
      • results object Required

        Additional properties are allowed.

        Hide results attributes Show results attributes object
        • created array[object] Required
          Any of:
          Hide attributes Show attributes
          • name string Required

            Name of the Knowledge Base Entry

          • namespace string Required

            Kibana Space, defaults to 'default' space

          • users array[object] Required

            Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

            Hide users attributes Show users attributes object
          • createdAt string Required

            Time the Knowledge Base Entry was created

          • createdBy string Required

            User who created the Knowledge Base Entry

          • id string(nonempty) Required

            A string that does not contain only whitespace characters

            Minimum length is 1.

          • updatedAt string Required

            Time the Knowledge Base Entry was last updated

          • updatedBy string Required

            User who last updated the Knowledge Base Entry

          • kbResource string Required

            Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

          • source string Required

            Source document name or filepath

          • text string Required

            Knowledge Base Entry content

          • type string Required Discriminator

            Entry type

            Value is document.

          • required boolean

            Whether this resource should always be included, defaults to false

          • vector object

            Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

            Additional properties are allowed.

            Hide vector attributes Show vector attributes object
            • modelId string Required

              ID of the model used to create the embeddings

            • tokens object Required

              Tokens with their corresponding values

              Hide tokens attribute Show tokens attribute object
              • * number Additional properties
        • deleted array[string] Required
        • skipped array[object] Required
          Hide skipped attributes Show skipped attributes object
        • updated array[object] Required
          Any of:
          Hide attributes Show attributes
          • name string Required

            Name of the Knowledge Base Entry

          • namespace string Required

            Kibana Space, defaults to 'default' space

          • users array[object] Required

            Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

            Hide users attributes Show users attributes object
          • createdAt string Required

            Time the Knowledge Base Entry was created

          • createdBy string Required

            User who created the Knowledge Base Entry

          • id string(nonempty) Required

            A string that does not contain only whitespace characters

            Minimum length is 1.

          • updatedAt string Required

            Time the Knowledge Base Entry was last updated

          • updatedBy string Required

            User who last updated the Knowledge Base Entry

          • kbResource string Required

            Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

          • source string Required

            Source document name or filepath

          • text string Required

            Knowledge Base Entry content

          • type string Required Discriminator

            Entry type

            Value is document.

          • required boolean

            Whether this resource should always be included, defaults to false

          • vector object

            Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

            Additional properties are allowed.

            Hide vector attributes Show vector attributes object
            • modelId string Required

              ID of the model used to create the embeddings

            • tokens object Required

              Tokens with their corresponding values

              Hide tokens attribute Show tokens attribute object
              • * number Additional properties
      • summary object Required

        Additional properties are allowed.

        Hide summary attributes Show summary attributes object
    • message string
    • statusCode integer
    • success boolean
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
POST /api/security_ai_assistant/knowledge_base/entries/_bulk_action
curl \
 --request POST https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_bulk_action \
 --header "Content-Type: application/json" \
 --data '{"create":[{"name":"string","namespace":"string","users":[{"id":"string","name":"string"}],"kbResource":"string","source":"string","text":"string","type":"document","required":true,"vector":{"modelId":"string","tokens":{"additionalProperty1":42.0,"additionalProperty2":42.0}}}],"delete":{"ids":["string"],"query":"string"},"update":[{"id":"string","name":"string","namespace":"string","users":[{"id":"string","name":"string"}],"kbResource":"string","source":"string","text":"string","type":"document","required":true,"vector":{"modelId":"string","tokens":{"additionalProperty1":42.0,"additionalProperty2":42.0}}}]}'
Request examples
{
  "create": [
    {
      "name": "string",
      "namespace": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ],
      "kbResource": "string",
      "source": "string",
      "text": "string",
      "type": "document",
      "required": true,
      "vector": {
        "modelId": "string",
        "tokens": {
          "additionalProperty1": 42.0,
          "additionalProperty2": 42.0
        }
      }
    }
  ],
  "delete": {
    "ids": [
      "string"
    ],
    "query": "string"
  },
  "update": [
    {
      "id": "string",
      "name": "string",
      "namespace": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ],
      "kbResource": "string",
      "source": "string",
      "text": "string",
      "type": "document",
      "required": true,
      "vector": {
        "modelId": "string",
        "tokens": {
          "additionalProperty1": 42.0,
          "additionalProperty2": 42.0
        }
      }
    }
  ]
}
Response examples (200)
{
  "attributes": {
    "errors": [
      {
        "err_code": "string",
        "knowledgeBaseEntries": [
          {
            "id": "string",
            "name": "string"
          }
        ],
        "message": "string",
        "statusCode": 42
      }
    ],
    "results": {
      "created": [
        {
          "name": "string",
          "namespace": "string",
          "users": [
            {
              "id": "string",
              "name": "string"
            }
          ],
          "createdAt": "string",
          "createdBy": "string",
          "id": "string",
          "updatedAt": "string",
          "updatedBy": "string",
          "kbResource": "string",
          "source": "string",
          "text": "string",
          "type": "document",
          "required": true,
          "vector": {
            "modelId": "string",
            "tokens": {
              "additionalProperty1": 42.0,
              "additionalProperty2": 42.0
            }
          }
        }
      ],
      "deleted": [
        "string"
      ],
      "skipped": [
        {
          "id": "string",
          "name": "string",
          "skip_reason": "KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED"
        }
      ],
      "updated": [
        {
          "name": "string",
          "namespace": "string",
          "users": [
            {
              "id": "string",
              "name": "string"
            }
          ],
          "createdAt": "string",
          "createdBy": "string",
          "id": "string",
          "updatedAt": "string",
          "updatedBy": "string",
          "kbResource": "string",
          "source": "string",
          "text": "string",
          "type": "document",
          "required": true,
          "vector": {
            "modelId": "string",
            "tokens": {
              "additionalProperty1": 42.0,
              "additionalProperty2": 42.0
            }
          }
        }
      ]
    },
    "summary": {
      "failed": 42,
      "skipped": 42,
      "succeeded": 42,
      "total": 42
    }
  },
  "knowledgeBaseEntriesCount": 42,
  "message": "string",
  "statusCode": 42,
  "success": true
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

































Delete an alerts index

DELETE /api/detection_engine/index

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough permissions response

    Hide response attributes Show response attributes object
  • 404 application/json

    Index does not exist response

  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/detection_engine/index
curl \
 --request DELETE https://localhost:5601/api/detection_engine/index
Response examples (200)
{
  "acknowledged": true
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "message": "string",
  "status_code": 42
}
Response examples (404)
string
Response examples (500)
{
  "message": "string",
  "status_code": 42
}
































Delete multiple detection rules Deprecated

POST /api/detection_engine/rules/_bulk_delete

Deletes multiple rules.

application/json

Body Required

A JSON array of id or rule_id fields of the rules you want to delete.

  • id string(uuid)

    A universally unique identifier

  • rule_id string

    Could be any string, not necessarily a UUID

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

  • 400 application/json

    Invalid input data response

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/detection_engine/rules/_bulk_delete
curl \
 --request POST https://localhost:5601/api/detection_engine/rules/_bulk_delete \
 --header "Content-Type: application/json" \
 --data '[{"id":"string","rule_id":"string"}]'
Request examples
[
  {
    "id": "string",
    "rule_id": "string"
  }
]
Response examples (200)
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "ecs": true,
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "created_at": "2025-05-04T09:42:00+00:00",
    "created_by": "string",
    "execution_summary": {
      "last_execution": {
        "date": "2025-05-04T09:42:00+00:00",
        "message": "string",
        "metrics": {
          "execution_gap_duration_s": 42,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_enrichment_duration_ms": 42,
          "total_indexing_duration_ms": 42,
          "total_search_duration_ms": 42
        },
        "status": "going to run",
        "status_order": 42
      }
    },
    "id": "string",
    "immutable": true,
    "revision": 42,
    "rule_id": "string",
    "rule_source": {
      "is_customized": true,
      "type": "external"
    },
    "updated_at": "2025-05-04T09:42:00+00:00",
    "updated_by": "string",
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}

Delete multiple detection rules Deprecated

DELETE /api/detection_engine/rules/_bulk_delete

Delete detection rules in bulk.

application/json

Body Required

A JSON array of id or rule_id fields of the rules you want to delete.

  • id string(uuid)

    A universally unique identifier

  • rule_id string

    Could be any string, not necessarily a UUID

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

  • 400 application/json

    Invalid input data response

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/detection_engine/rules/_bulk_delete
curl \
 --request DELETE https://localhost:5601/api/detection_engine/rules/_bulk_delete \
 --header "Content-Type: application/json" \
 --data '[{"id":"string","rule_id":"string"}]'
Request examples
[
  {
    "id": "string",
    "rule_id": "string"
  }
]
Response examples (200)
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "ecs": true,
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "created_at": "2025-05-04T09:42:00+00:00",
    "created_by": "string",
    "execution_summary": {
      "last_execution": {
        "date": "2025-05-04T09:42:00+00:00",
        "message": "string",
        "metrics": {
          "execution_gap_duration_s": 42,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_enrichment_duration_ms": 42,
          "total_indexing_duration_ms": 42,
          "total_search_duration_ms": 42
        },
        "status": "going to run",
        "status_order": 42
      }
    },
    "id": "string",
    "immutable": true,
    "revision": 42,
    "rule_id": "string",
    "rule_source": {
      "is_customized": true,
      "type": "external"
    },
    "updated_at": "2025-05-04T09:42:00+00:00",
    "updated_by": "string",
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}






































































































Get action details

GET /api/endpoint/action/{action_id}

Get the details of a response action using the action ID.

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

GET /api/endpoint/action/{action_id}
curl \
 --request GET https://localhost:5601/api/endpoint/action/{action_id}
Response examples (200)
{}








Run a command

POST /api/endpoint/action/execute

Run a shell command on an endpoint.

application/json

Body Required

  • The host agent type (optional). Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Additional properties are allowed.

    Hide parameters attributes Show parameters attributes object
    • command string Required

      The command to be executed (cannot be an empty string)

      Minimum length is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, or scan.

    • timeout integer

      The maximum timeout value in milliseconds (optional)

      Minimum value is 1.

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

POST /api/endpoint/action/execute
curl \
 --request POST https://localhost:5601/api/endpoint/action/execute \
 --header "Content-Type: application/json" \
 --data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{"command":"isolate","timeout":42}}'
Request examples
{
  "agent_type": "endpoint",
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "string"
  ],
  "comment": "string",
  "endpoint_ids": [
    "string"
  ],
  "parameters": {
    "command": "isolate",
    "timeout": 42
  }
}
Response examples (200)
{}




































Upload a file

POST /api/endpoint/action/upload

Upload a file to an endpoint.

application/json

Body Required

  • The host agent type (optional). Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Additional properties are allowed.

    Hide parameters attribute Show parameters attribute object
  • file string(binary) Required

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

POST /api/endpoint/action/upload
curl \
 --request POST https://localhost:5601/api/endpoint/action/upload \
 --header "Content-Type: application/json" \
 --data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{"overwrite":false},"file":"@file"}'
Request examples
{
  "agent_type": "endpoint",
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "string"
  ],
  "comment": "string",
  "endpoint_ids": [
    "string"
  ],
  "parameters": {
    "overwrite": false
  },
  "file": "@file"
}
Response examples (200)
{}





































































































































Update an exception list item

PUT /api/exception_lists/items

Update an exception list item using the id or item_id field.

application/json

Body Required

Exception list item's properties

  • _version string

    The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

  • comments array[object]

    Default value is [] (empty).

    Hide comments attributes Show comments attributes object
    • comment string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • id string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • description string Required

    Describes the exception list.

  • entries array[object] Required
    Any of:
    Hide attributes Show attributes
    • field string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • operator string Required

      Values are excluded or included.

    • type string Required Discriminator

      Value is match.

    • value string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • expire_time string(date-time)

    The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

  • id string(nonempty)

    Exception's identifier.

    Minimum length is 1.

  • item_id string(nonempty)

    Human readable string identifier, e.g. trusted-linux-processes

    Minimum length is 1.

  • list_id string(nonempty)

    Exception list's human readable string identifier, e.g. trusted-linux-processes.

    Minimum length is 1.

  • meta object

    Additional properties are allowed.

  • name string(nonempty) Required

    Exception list name.

    Minimum length is 1.

  • Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

  • os_types array[string]

    Use this field to specify the operating system.

    Values are linux, macos, or windows. Default value is [] (empty).

  • tags array[string(nonempty)]

    String array containing words and phrases to help categorize exception items.

    Minimum length of each is 1. Default value is [] (empty).

  • type string Required

    Value is simple.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows. Default value is [] (empty).

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1. Default value is [] (empty).

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

  • 400 application/json

    Invalid input data response

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    Exception list item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
PUT /api/exception_lists/items
curl \
 --request PUT https://localhost:5601/api/exception_lists/items \
 --header "Content-Type: application/json" \
 --data '{"name":"Updated name","tags":[],"type":"simple","entries":[{"type":"match","field":"host.name","value":"rock01","operator":"included"}],"item_id":"simple_list_item","comments":[],"description":"Updated description","namespace_type":"single"}'
Request example
{
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "comments": [],
  "description": "Updated description",
  "namespace_type": "single"
}
Response examples (200)
{
  "id": "459c5e7e-f8b2-4f0b-b136-c1fc702f72da",
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzEyLDFd",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-07T21:12:25.512Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T21:34:50.233Z",
  "updated_by": "elastic",
  "description": "Updated description",
  "namespace_type": "single",
  "tie_breaker_id": "ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0"
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "[request body]: item_id: Expected string, received number",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404)
{
  "message": "exception list item item_id: \\\"foo\\\" does not exist",
  "status_code": 404
}
Response examples (500)
{
  "message": "Internal Server Error",
  "status_code": 500
}