Spaces

Get the alerting framework health

GET /api/alerting/_health

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- alerting_framework_health object
  
  Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.
  
  Additional properties are allowed.
  
  Hide alerting_framework_health attributes Show alerting_framework_health attributes object
  
  decryption_health object
  
  The timestamp and status of the rule decryption.
  
  Additional properties are allowed.
  
  Hide decryption_health attributes Show decryption_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
  
  execution_health object
  
  The timestamp and status of the rule run.
  
  Additional properties are allowed.
  
  Hide execution_health attributes Show execution_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
  
  read_health object
  
  The timestamp and status of the rule reading events.
  
  Additional properties are allowed.
  
  Hide read_health attributes Show read_health attributes object
  
  status string
  
  Values are error, ok, or warn.
  
  timestamp string(date-time)
- has_permanent_encryption_key boolean
  
  If false, the encrypted saved object plugin does not have a permanent encryption key.
- is_sufficiently_secure boolean
  
  If false, security is enabled but TLS is not.
401 application/json; Elastic-Api-Version=2023-10-31

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

GET /api/alerting/_health

curl \
 --request GET https://localhost:5601/api/alerting/_health \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Delete source map

DELETE /api/apm/sourcemaps/{id}

Api key auth Basic auth

Delete a previously uploaded source map.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

Source map identifier

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful response

Additional properties are NOT allowed.
400 application/json; Elastic-Api-Version=2023-10-31

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json; Elastic-Api-Version=2023-10-31

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json; Elastic-Api-Version=2023-10-31

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json; Elastic-Api-Version=2023-10-31

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
501 application/json; Elastic-Api-Version=2023-10-31

Not Implemented response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

DELETE /api/apm/sourcemaps/{id}

curl \
 --request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"

Response examples (200)

{}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}

Response examples (500)

{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

Response examples (501)

{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Add a case comment or alert

POST /api/cases/{caseId}/comments

Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json; Elastic-Api-Version=2023-10-31

Body object Required

The add comment to case API request body varies depending on whether you are adding an alert or a comment.

Defines properties for case comment requests when type is alert.

alertId string | array[string] Required

The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

One of:
string-1 string array-2 array[string]
index string | array[string] Required

The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

One of:
string-1 string array-2 array[string]
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
rule object Required Technical preview

The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Additional properties are allowed.
Hide rule attributes Show rule attributes object
- id string
  
  The rule identifier.
- name string
  
  The rule name.
type string Required Discriminator

The type of comment.

Value is alert.

Defines properties for case comment requests when type is user.

comment string Required

The new comment. It is required only when type is user.

Maximum length is 30000.
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
type string Required Discriminator

The type of comment.

Value is user.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Additional properties are allowed.
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Additional properties are allowed.
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Additional properties are allowed.
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Additional properties are allowed.
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Additional properties are allowed.
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Additional properties are allowed.
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Additional properties are allowed.
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Additional properties are allowed.
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Additional properties are allowed.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Additional properties are allowed.
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Additional properties are allowed.
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Additional properties are allowed.
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Additional properties are allowed.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Additional properties are allowed.
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json; Elastic-Api-Version=2023-10-31

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

POST /api/cases/{caseId}/comments

curl \
 --request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 --header "kbn-xsrf: string"

Request example

{
  "type": "user",
  "owner": "cases",
  "comment": "A new comment."
}

Response examples (200)

{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Delete a connector Deprecated

DELETE /api/actions/action/{id}

Api key auth Basic auth

WARNING: When you delete a connector, it cannot be recovered.

Headers

elastic-api-version string

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

Responses

204

Indicates a successful call.

DELETE /api/actions/action/{id}

curl \
 --request DELETE https://localhost:5601/api/actions/action/{id} \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"

Run a connector

POST /api/actions/connector/{id}/_execute

Api key auth Basic auth

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.

Headers

elastic-api-version string

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

application/json; Elastic-Api-Version=2023-10-31

Body

params object Required
One of:
run_acknowledge_resolve_pagerduty object run_documents object run_message_email object run_message_serverlog object run_message_slack object run_trigger_pagerduty object run_addevent object run_closealert object run_closeincident object run_createalert object run_fieldsbyissuetype object run_getchoices object run_getfields object run_getincident object run_issue object run_issues object run_issuetypes object run_postmessage object run_pushtoservice object run_validchannelid object
Test an action that acknowledges or resolves a PagerDuty alert.
Hide attributes Show attributes

dedupKey string Required

The deduplication key for the PagerDuty alert.

Maximum length is 255.

eventAction string Required

The type of event.

Values are acknowledge or resolve.
Test an action that indexes a document into Elasticsearch.
Hide attribute Show attribute

documents array[object] Required

The documents in JSON format for index connectors.

Additional properties are allowed.
Test an action that sends an email message. There must be at least one recipient in to, cc, or bcc.
Hide attributes Show attributes

bcc array[string]

A list of "blind carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format

cc array[string]

A list of "carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format

message string Required

The email message text. Markdown format is supported.

subject string Required

The subject line of the email.

to array[string]

A list of email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format.
Test an action that writes an entry to the Kibana server log.
Hide attributes Show attributes

level string

The log level of the message for server log connectors.

Values are debug, error, fatal, info, trace, or warn. Default value is info.

message string Required

The message for server log connectors.
Test an action that sends a message to Slack. It is applicable only when the connector type is .slack.
Hide attribute Show attribute

message string Required

The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
Test an action that triggers a PagerDuty alert.
Hide attributes Show attributes

class string

The class or type of the event.

component string

The component of the source machine that is responsible for the event.

customDetails object

Additional details to add to the event.

Additional properties are allowed.

dedupKey string

All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution.

Maximum length is 255.

eventAction string Required

The type of event.

Value is trigger.

group string

The logical grouping of components of a service.

links array[object]

A list of links to add to the event.

Hide links attributes Show links attributes object

href string

The URL for the link.

text string

A plain text description of the purpose of the link.

severity string

The severity of the event on the affected system.

Values are critical, error, info, or warning. Default value is info.

source string

The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action.

summary string

A summery of the event.

Maximum length is 1024.

timestamp string(date-time)

An ISO-8601 timestamp that indicates when the event was detected or generated.
The addEvent subaction for ServiceNow ITOM connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is addEvent.

subActionParams object

The set of configuration properties for the action.

Additional properties are allowed.

Hide subActionParams attributes Show subActionParams attributes object

additional_info string

Additional information about the event.

description string

The details about the event.

event_class string

A specific instance of the source.

message_key string

All actions sharing this key are associated with the same ServiceNow alert. The default value is <rule ID>:<alert instance ID>.

metric_name string

The name of the metric.

node string

The host that the event was triggered for.

resource string

The name of the resource.

severity string

The severity of the event.

source string

The name of the event source type.

time_of_event string

The time of the event.

type string

The type of event.
The closeAlert subaction for Opsgenie connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is closeAlert.

subActionParams object Required

Additional properties are allowed.

Hide subActionParams attributes Show subActionParams attributes object

alias string Required

The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert.

note string

Additional information for the alert.

source string

The display name for the source of the alert.

user string

The display name for the owner.
The closeIncident subaction for ServiceNow ITSM connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is closeIncident.

subActionParams object Required

Additional properties are allowed.

Hide subActionParams attribute Show subActionParams attribute object

incident object Required

Any of:
object-1 object object-2 object

Hide attributes Show attributes

correlation_id string | null Required

An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID.

Maximum length is 100. Default value is {{rule.id}}:{{alert.id}}.

externalId string | null

The unique identifier (incidentId) for the incident in ServiceNow.

Hide attributes Show attributes

correlation_id string | null

An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID.

Maximum length is 100. Default value is {{rule.id}}:{{alert.id}}.

externalId string | null Required

The unique identifier (incidentId) for the incident in ServiceNow.
The createAlert subaction for Opsgenie and TheHive connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is createAlert.

subActionParams object Required

Additional properties are allowed.

Hide subActionParams attributes Show subActionParams attributes object

actions array[string]

The custom actions available to the alert in Opsgenie connectors.

alias string

The unique identifier used for alert deduplication in Opsgenie.

description string

A description that provides detailed information about the alert.

details object

The custom properties of the alert in Opsgenie connectors.

Additional properties are allowed.

entity string

The domain of the alert in Opsgenie connectors. For example, the application or server name.

message string

The alert message in Opsgenie connectors.

note string

Additional information for the alert in Opsgenie connectors.

priority string

The priority level for the alert in Opsgenie connectors.

Values are P1, P2, P3, P4, or P5.

responders array[object]

The entities to receive notifications about the alert in Opsgenie connectors. If type is user, either id or username is required. If type is team, either id or name is required.

Hide responders attributes Show responders attributes object

id string

The identifier for the entity.

name string

The name of the entity.

type string

The type of responders, in this case escalation.

Values are escalation, schedule, team, or user.

username string

A valid email address for the user.

severity integer

The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).

Minimum value is 1, maximum value is 4.

source string

The display name for the source of the alert in Opsgenie and TheHive connectors.

sourceRef string

A source reference for the alert in TheHive connectors.

tags array[string]

The tags for the alert in Opsgenie and TheHive connectors.

title string

A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base.

tlp integer

The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).

Minimum value is 0, maximum value is 4. Default value is 2.

type string

The type of alert in TheHive connectors.

user string

The display name for the owner.

visibleTo array[object]

The teams and users that the alert will be visible to without sending a notification. Only one of id, name, or username is required.

Hide visibleTo attributes Show visibleTo attributes object

id string

The identifier for the entity.

name string

The name of the entity.

type string Required

Valid values are team and user.

Values are team or user.

username string

The user name. This property is required only when the type is user.
The fieldsByIssueType subaction for Jira connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is fieldsByIssueType.

subActionParams object Required

Additional properties are allowed.

Hide subActionParams attribute Show subActionParams attribute object

id string Required

The Jira issue type identifier.
The getChoices subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is getChoices.

subActionParams object Required

The set of configuration properties for the action.

Additional properties are allowed.

Hide subActionParams attribute Show subActionParams attribute object

fields array[string] Required

An array of fields.
The getFields subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
Hide attribute Show attribute

subAction string Required

The action to test.

Value is getFields.
The getIncident subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is getIncident.

subActionParams object Required

Additional properties are allowed.

Hide subActionParams attribute Show subActionParams attribute object

externalId string Required

The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier.
The issue subaction for Jira connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is issue.

subActionParams object

Additional properties are allowed.

Hide subActionParams attribute Show subActionParams attribute object

id string Required

The Jira issue identifier.
The issues subaction for Jira connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is issues.

subActionParams object Required

Additional properties are allowed.

Hide subActionParams attribute Show subActionParams attribute object

title string Required

The title of the Jira issue.
The issueTypes subaction for Jira connectors.
Hide attribute Show attribute

subAction string Required

The action to test.

Value is issueTypes.
Test an action that sends a message to Slack. It is applicable only when the connector type is .slack_api.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is postMessage.

subActionParams object Required

The set of configuration properties for the action.

Additional properties are allowed.

Hide subActionParams attributes Show subActionParams attributes object

channelIds array[string]

The Slack channel identifier, which must be one of the allowedChannels in the connector configuration.

Not more than 1 element.

channels array[string] Deprecated

The name of a channel that your Slack app has access to.

Not more than 1 element.

text string

The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages.

Minimum length is 1.
The pushToService subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is pushToService.

subActionParams object Required

The set of configuration properties for the action.

Additional properties are allowed.

Hide subActionParams attributes Show subActionParams attributes object

comments array[object]

Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive.

Hide comments attributes Show comments attributes object

comment string

A comment related to the incident. For example, describe how to troubleshoot the issue.

commentId integer

A unique identifier for the comment.

incident object

Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident.

Additional properties are allowed.

Hide incident attributes Show incident attributes object

additional_fields string | null

Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format.

Maximum length is 20.

alertId string

The alert identifier for Swimlane connectors.

caseId string

The case identifier for the incident for Swimlane connectors.

caseName string

The case name for the incident for Swimlane connectors.

category string

The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.

correlation_display string

A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors.

correlation_id string

The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as {{ruleID}}:{{alert ID}} to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of {{ruleID}}:{{alert ID}} ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.

description string

The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors.

dest_ip string | array[string]

A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.

One of:
string-1 string array-2 array[string]

externalId string

The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.

id string

The external case identifier for Webhook - Case Management connectors.

impact string

The impact of the incident for ServiceNow ITSM connectors.

issueType integer

The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set subAction to issueTypes.

labels array[string]

The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces.

malware_hash string | array[string]

A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident.

One of:
string-1 string array-2 array[string]

malware_url string | array[string]

A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident.

One of:
string-1 string array-2 array[string]

otherFields object

Custom field identifiers and their values for Jira connectors.

Additional properties are allowed.

parent string

The ID or key of the parent issue for Jira connectors. Applies only to Sub-task types of issues.

priority string

The priority of the incident in Jira and ServiceNow SecOps connectors.

ruleName string

The rule name for Swimlane connectors.

severity integer

The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).

short_description string

A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base.

source_ip string | array[string]

A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.

One of:
string-1 string array-2 array[string]

status string

The status of the incident for Webhook - Case Management connectors.

subcategory string

The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.

summary string

A summary of the incident for Jira connectors.

tags array[string]

A list of tags for TheHive and Webhook - Case Management connectors.

title string

A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base.

tlp integer

The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).

Minimum value is 0, maximum value is 4. Default value is 2.

urgency string

The urgency of the incident for ServiceNow ITSM connectors.
Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is .slack_api.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is validChannelId.

subActionParams object Required

Additional properties are allowed.

Hide subActionParams attribute Show subActionParams attribute object

channelId string Required

The Slack channel identifier.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

POST /api/actions/connector/{id}/_execute

curl \
 --request POST https://localhost:5601/api/actions/connector/{id}/_execute \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"

Request examples

{
  "params": {
    "documents": [
      {
        "id": "my_doc_id",
        "name": "my_doc_name",
        "message": "hello, world"
      }
    ]
  }
}

{
  "params": {
    "subAction": "issueTypes"
  }
}

{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [
        "severity",
        "urgency"
      ]
    }
  }
}

{
  "params": {
    "subAction": "postMessage",
    "subActionParams": {
      "text": "A test message.",
      "channelIds": [
        "C123ABC456"
      ]
    }
  }
}

{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "comments": [
        {
          "comment": "A comment about the incident.",
          "commentId": 1
        }
      ],
      "incident": {
        "caseId": "1000",
        "caseName": "Case name",
        "description": "Description of the incident."
      }
    }
  }
}

Response examples (200)

{
  "data": {
    "took": 135,
    "items": [
      {
        "create": {
          "_id": "4JtvwYUBrcyxt2NnfW3y",
          "_index": "my-index",
          "result": "created",
          "status": 201,
          "_seq_no": 0,
          "_shards": {
            "total": 2,
            "failed": 0,
            "successful": 1
          },
          "_version": 1,
          "_primary_term": 1
        }
      }
    ],
    "errors": false
  },
  "status": "ok",
  "connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}

{
  "data": [
    {
      "id": 10024,
      "name": "Improvement"
    },
    {
      "id": 10006,
      "name": "Task"
    },
    {
      "id": 10007,
      "name": "Sub-task"
    },
    {
      "id": 10025,
      "name": "New Feature"
    },
    {
      "id": 10023,
      "name": "Bug"
    },
    {
      "id": 10000,
      "name": "Epic"
    }
  ],
  "status": "ok",
  "connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}

{
  "status": "ok",
  "connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}

{
  "data": [
    {
      "label": "Critical",
      "value": 1,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Major",
      "value": 2,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Minor",
      "value": 3,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Warning",
      "value": 4,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "OK",
      "value": 5,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Clear",
      "value": 0,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "1 - High",
      "value": 1,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "2 - Medium",
      "value": 2,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "3 - Low",
      "value": 3,
      "element": "urgency",
      "dependent_value": ""
    }
  ],
  "status": "ok",
  "connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}

{
  "data": {
    "ok": true,
    "ts": "1234567890.123456",
    "channel": "C123ABC456",
    "message": {
      "ts": "1234567890.123456",
      "team": "T01ABCDE2F",
      "text": "A test message",
      "type": "message",
      "user": "U12A345BC6D",
      "app_id": "A01BC2D34EF",
      "blocks": [
        {
          "type": "rich_text",
          "block_id": "/NXe",
          "elements": [
            {
              "type": "rich_text_section",
              "elements": [
                {
                  "text": "A test message.",
                  "type": "text"
                }
              ]
            }
          ]
        }
      ],
      "bot_id": "B12BCDEFGHI",
      "bot_profile": {
        "id": "B12BCDEFGHI",
        "name": "test",
        "icons": {
          "image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
        },
        "app_id": "A01BC2D34EF",
        "deleted": false,
        "team_id": "T01ABCDE2F",
        "updated": 1672169705
      }
    }
  },
  "status": "ok",
  "connector_id": ".slack_api"
}

{
  "data": {
    "id": "aKPmBHWzmdRQtx6Mx",
    "url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
    "title": "TEST-457",
    "comments": [
      {
        "commentId": 1,
        "pushedDate": "2022-09-08T16:52:27.865Z"
      }
    ],
    "pushedDate": "2022-09-08T16:52:27.866Z"
  },
  "status": "ok",
  "connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}

Update a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Api key auth Basic auth

Path parameters

fieldName string Required

The name of the runtime field.
viewId string Required

An identifier for the data view.

application/json; Elastic-Api-Version=2023-10-31

Body Required

runtimeField object Required
The runtime field definition object.

You can update following fields:
- type
- script
Additional properties are allowed.

Responses

200

Indicates a successful call.
400 application/json; Elastic-Api-Version=2023-10-31

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

curl \
 --request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request example

{
  "runtimeField": {
    "script": {
      "source": "emit(doc[\"bar\"].value)"
    }
  }
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Create agent binary download source

POST /api/fleet/agent_download_sources

Api key auth Basic auth

application/json; Elastic-Api-Version=2023-10-31

Body

host string Required
id string
is_default boolean Required
name string Required

Responses

200 application/json; Elastic-Api-Version=2023-10-31

OK
Hide response attribute Show response attribute object
- item object
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  host string Required
  
  id string
  
  is_default boolean Required
  
  name string Required
  
  proxy_id string | null
  
  The ID of the proxy to use for this download source. See the proxies API for more information.
400 application/json; Elastic-Api-Version=2023-10-31

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

POST /api/fleet/agent_download_sources

curl \
 --request POST https://localhost:5601/api/fleet/agent_download_sources \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request examples

{
  "host": "string",
  "id": "string",
  "is_default": true,
  "name": "string"
}

Response examples (200)

{
  "item": {
    "host": "string",
    "id": "string",
    "is_default": true,
    "name": "string",
    "proxy_id": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk request diagnostics from agents

POST /api/fleet/agents/bulk_request_diagnostics

Api key auth Basic auth

Headers

kbn-xsrf string Required

Kibana's anti Cross-Site Request Forgery token. Can be any string value.

application/json; Elastic-Api-Version=2023-10-31

Body

additional_metrics array[string]
agents string | array[string] Required

One of:
string-1 string array-2 array[string]

KQL query string, leave empty to action all agents
batchSize number

Responses

200 application/json; Elastic-Api-Version=2023-10-31

OK
Hide response attribute Show response attribute object
- actionId string
400 application/json; Elastic-Api-Version=2023-10-31

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

POST /api/fleet/agents/bulk_request_diagnostics

curl \
 --request POST https://localhost:5601/api/fleet/agents/bulk_request_diagnostics \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 --header "kbn-xsrf: string"

Request example

{
  "agents": "fleet-agents.policy_id : (\"policy1\" or \"policy2\")"
}

Response examples (200)

{
  "actionId": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Clean up detection alert migrations

DELETE /api/detection_engine/signals/migration

Api key auth Basic auth

Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted.

While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation.

application/json; Elastic-Api-Version=2023-10-31

Body Required

Array of migration_ids to cleanup

migration_ids array[string] Required

Array of migration_ids to cleanup.

At least 1 element.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful response
Hide response attributes Show response attributes object
- destinationIndex string Required
- error object
  
  Additional properties are allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code integer Required
- id string Required
- sourceIndex string Required
- status string Required
  
  Values are success, failure, or pending.
- updated string(date-time) Required
- version string Required
400 application/json; Elastic-Api-Version=2023-10-31

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json; Elastic-Api-Version=2023-10-31

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json; Elastic-Api-Version=2023-10-31

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/detection_engine/signals/migration

curl \
 --request DELETE https://localhost:5601/api/detection_engine/signals/migration \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request example

{
  "migration_ids": [
    "924f7c50-505f-11eb-ae0a-3fa2e626a51d"
  ]
}

Response examples (200)

{
  "migrations": [
    {
      "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "status": "success",
      "updated": "2021-01-06T22:05:56.859Z",
      "version": 16,
      "sourceIndex": ".siem-signals-default-000002",
      "destinationIndex": ".siem-signals-default-000002-r000016"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Create an endpoint exception list item

POST /api/endpoint_list/items

Api key auth Basic auth

Create an endpoint exception list item, and associate it with the endpoint exception list.

application/json; Elastic-Api-Version=2023-10-31

Body Required

Exception list item's properties

comments array[object]
Array of comment fields:
- comment (string): Comments about the exception item.
Hide comments attributes Show comments attributes object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- updated_at string(date-time)
  
  Autogenerated date of last object update.
- updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
entries array[object] Required
Any of:
Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list object Required

Additional properties are allowed.

Hide list attributes Show list attributes object

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is list.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is exists.
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required Discriminator

Value is nested.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is wildcard.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
os_types array[string]

Use this field to specify the operating system.

Values are linux, macos, or windows.
tags array[string(nonempty)]

String array containing words and phrases to help categorize exception items.

Minimum length of each is 1.
type string Required

Value is simple.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows.
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json; Elastic-Api-Version=2023-10-31

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json; Elastic-Api-Version=2023-10-31

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json; Elastic-Api-Version=2023-10-31

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
409 application/json; Elastic-Api-Version=2023-10-31

Endpoint list item already exists
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json; Elastic-Api-Version=2023-10-31

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/endpoint_list/items

curl \
 --request POST https://localhost:5601/api/endpoint_list/items \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request examples

{
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00Z",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00Z",
      "updated_by": "string"
    }
  ],
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "item_id": "simple_list_item",
  "meta": {},
  "name": "string",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "type": "simple"
}

Response examples (200)

{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00Z",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00Z",
      "updated_by": "string"
    }
  ],
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2025-05-04T09:42:00Z",
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "meta": {},
  "name": "string",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (409)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Delete an endpoint exception list item

DELETE /api/endpoint_list/items

Api key auth Basic auth

Delete an endpoint exception list item using the id or item_id field.

Query parameters

id string(nonempty)

Either id or item_id must be specified

Minimum length is 1.
item_id string(nonempty)

Either id or item_id must be specified

Minimum length is 1.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Additional properties are allowed.
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows.
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json; Elastic-Api-Version=2023-10-31

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json; Elastic-Api-Version=2023-10-31

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json; Elastic-Api-Version=2023-10-31

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json; Elastic-Api-Version=2023-10-31

Endpoint list item not found
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json; Elastic-Api-Version=2023-10-31

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/endpoint_list/items

curl \
 --request DELETE https://localhost:5601/api/endpoint_list/items \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00Z",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00Z",
      "updated_by": "string"
    }
  ],
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2025-05-04T09:42:00Z",
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "meta": {},
  "name": "string",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Create a space

POST /api/spaces/space

Api key auth Basic auth

Headers

elastic-api-version string

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

_reserved boolean
color string

The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
description string

A description for the space.
disabledFeatures array[string]

The list of features that are turned off in the space.

Default value is [] (empty).
id string Required

The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.
imageUrl string

The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
initials string

One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.

Maximum length is 2.
name string Required

The display name for the space.

Minimum length is 1.
solution string

Values are security, oblt, es, or classic.

Responses

200

Indicates a successful call.

POST /api/spaces/space

curl \
 --request POST https://localhost:5601/api/spaces/space \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"

Request example

{
  "id": "marketing",
  "name": "Marketing",
  "color": null,
  "imageUrl": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg==",
  "initials": "MK",
  "description": "This is the Marketing Space",
  "disabledFeatures": []
}

Body object Required

alertId string | array[string] Required

index string | array[string] Required

connector object Required

value string | null | boolean

Delete a connector Deprecated

params object Required

dest_ip string | array[string]

malware_hash string | array[string]

malware_url string | array[string]

source_ip string | array[string]

Body Required

agents string | array[string] Required

Body Required

Body Required

Spaces Dismiss highlight