Get the alerting framework health Deprecated

GET /api/alerts/alerts/_health
Api key auth Basic auth

Deprecated in 7.13.0. Use the get alerting framework health API instead.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • alertingFrameworkHealth object

      Three substates identify the health of the alerting framework: decryptionHealth, executionHealth, and readHealth.

      Hide alertingFrameworkHealth attributes Show alertingFrameworkHealth attributes object
      • decryptionHealth object

        The timestamp and status of the alert decryption.

        Hide decryptionHealth attributes Show decryptionHealth attributes object
      • executionHealth object

        The timestamp and status of the alert execution.

        Hide executionHealth attributes Show executionHealth attributes object
      • readHealth object

        The timestamp and status of the alert reading events.

        Hide readHealth attributes Show readHealth attributes object
    • hasPermanentEncryptionKey boolean

      If false, the encrypted saved object plugin does not have a permanent encryption key.

    • isSufficientlySecure boolean

      If false, security is enabled but TLS is not.
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerts/alerts/_health 
curl \
 --request GET 'https://localhost:5601/api/alerts/alerts/_health' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "alertingFrameworkHealth": {
    "decryptionHealth": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "executionHealth": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "readHealth": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "hasPermanentEncryptionKey": true,
  "isSufficientlySecure": true
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Save APM server schema

POST /api/apm/fleet/apm_server_schema
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • schema object

    Schema object

    Additional properties are allowed.

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/fleet/apm_server_schema 
curl \
 --request POST 'https://localhost:5601/api/apm/fleet/apm_server_schema' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"schema":{"foo":"bar"}}'
Request examples 
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "schema": {
    "foo": "bar"
  }
}
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Upload source map

POST /api/apm/sourcemaps
Api key auth Basic auth

Upload a source map for a specific service and version.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

multipart/form-data

Body Required

Responses

POST /api/apm/sourcemaps 
curl \
 --request POST 'https://localhost:5601/api/apm/sourcemaps' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --form "bundle_filepath=string" \
 --form "service_name=string" \
 --form "service_version=string" \
 --form "sourcemap=@file"
Response examples (200) 
{
  "body": "string",
  "compressionAlgorithm": "string",
  "created": "string",
  "decodedSha256": "string",
  "decodedSize": 42.0,
  "encodedSha256": "string",
  "encodedSize": 42.0,
  "encryptionAlgorithm": "string",
  "id": "string",
  "identifier": "string",
  "packageName": "string",
  "relative_url": "string",
  "type": "string"
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501) 
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Add case settings

POST /api/cases/configure
Api key auth Basic auth

Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body

  • closure_type string Required

    Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • connector object Required

    An object that contains the connector configuration.

    Hide connector attributes Show connector attributes object
    • fields object | null Required

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

    • id string Required

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string Required

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string Required

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • customFields array[object]

    Custom fields case configuration.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object

    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      One of:
      string-1 string boolean-2 boolean
    • key string Required

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string Required

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string Required

      The type of the custom field.

      Values are text or toggle.

    • required boolean Required

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object
    • caseFields object
      Hide caseFields attributes Show caseFields attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • connector object
        Hide connector attributes Show connector attributes object
        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

          One of:
          string-1 string boolean-2 boolean
      • description string

        The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • description string

      A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • closure_type string

      Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • connector object
      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • created_by object
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object

      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        One of:
        string-1 string boolean-2 boolean
      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • caseFields object
        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • connector object
          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

            One of:
            string-1 string boolean-2 boolean
        • description string

          The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • description string

        A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null
      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/configure 
curl \
 --request POST 'https://localhost:5601/api/cases/configure' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"owner":"cases","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"templates":[{"key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"],"caseFields":{"tags":["Default case tag"],"title":"Default case title","category":"Default-category","assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"description":"A default description for cases.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}]},"description":"A description of the template."}],"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":false,"defaultValue":"My custom field default value."}]}'
Request example 
{
  "owner": "cases",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}
Response examples (200) 
{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzIwNzMsMV0=",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": "null,",
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Create a connector

POST /api/actions/connector/{id}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json

Body

  • connector_type_id string Required

    The type of connector.

  • name string Required

    The display name for the connector.

  • config object

    The connector configuration details.

    One of:
    bedrock_config object crowdstrike_config object d3security_config object email_config object gemini_config object resilient_config object index_config object jira_config object genai_azure_config object genai_openai_config object opsgenie_config object pagerduty_config object sentinelone_config object servicenow_config object servicenow_itom_config object slack_api_config object swimlane_config object thehive_config object tines_config object torq_config object webhook_config object cases_webhook_config object xmatters_config object

    Defines properties for connectors when type is .bedrock.

    Hide attributes Show attributes
    • apiUrl string Required

      The Amazon Bedrock request URL.

    • defaultModel string

      The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.

      Default value is anthropic.claude-3-5-sonnet-20240620-v1:0.

  • secrets object

    One of:
    bedrock_secrets object crowdstrike_secrets object d3security_secrets object email_secrets object gemini_secrets object resilient_secrets object jira_secrets object teams_secrets object genai_secrets object opsgenie_secrets object pagerduty_secrets object sentinelone_secrets object servicenow_secrets object slack_api_secrets object swimlane_secrets object thehive_secrets object tines_secrets object torq_secrets object webhook_secrets object cases_webhook_secrets object xmatters_secrets object

    Defines secrets for connectors when type is .bedrock.

    Hide attributes Show attributes
    • accessKey string Required

      The AWS access key for authentication.

    • secret string Required

      The AWS secret for authentication.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • is_missing_secrets boolean

      Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.
POST /api/actions/connector/{id} 
curl \
 --request POST 'https://localhost:5601/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"email-connector-1","config":{"from":"tester@example.com","host":"https://example.com","port":1025,"secure":false,"hasAuth":true,"service":"other"},"secrets":{"user":"username","password":"password"},"connector_type_id":".email"}'
Request examples 
{
  "name": "email-connector-1",
  "config": {
    "from": "tester@example.com",
    "host": "https://example.com",
    "port": 1025,
    "secure": false,
    "hasAuth": true,
    "service": "other"
  },
  "secrets": {
    "user": "username",
    "password": "password"
  },
  "connector_type_id": ".email"
}
{
  "name": "my-connector",
  "config": {
    "index": "test-index"
  },
  "connector_type_id": ".index"
}
{
  "name": "my-webhook-connector",
  "config": {
    "url": "https://example.com",
    "method": "post",
    "authType": "webhook-authentication-ssl",
    "certType": "ssl-crt-key"
  },
  "secrets": {
    "crt": "QmFnIEF0dH...",
    "key": "LS0tLS1CRUdJ...",
    "password": "my-passphrase"
  },
  "connector_type_id": ".webhook"
}
{
  "name": "my-xmatters-connector",
  "config": {
    "usesBasic": false
  },
  "secrets": {
    "secretsUrl": "https://example.com?apiKey=xxxxx"
  },
  "connector_type_id": ".xmatters"
}
Response examples (200) 
{
  "id": "90a82c60-478f-11ee-a343-f98a117c727f",
  "name": "email-connector-1",
  "config": {
    "from": "tester@example.com",
    "host": "https://example.com",
    "port": 1025,
    "secure": false,
    "hasAuth": true,
    "service": "other",
    "clientId": null,
    "tenantId": null,
    "oauthTokenUrl": null
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".email",
  "is_missing_secrets": false
}
{
  "id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
  "name": "my-connector",
  "config": {
    "index": "test-index",
    "refresh": false,
    "executionTimeField": null
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".index",
  "is_missing_secrets": false
}
{
  "id": "900eb010-3b9d-11ee-a642-8ffbb94e38bd",
  "name": "my-webhook-connector",
  "config": {
    "url": "https://example.com",
    "method": "post",
    "hasAuth": true,
    "headers": null,
    "authType": "webhook-authentication-ssl",
    "certType": "ssl-crt-key",
    "verificationMode": "full"
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".webhook",
  "is_missing_secrets": false
}
{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}

Swap saved object references

POST /api/data_views/swap_references
Api key auth Basic auth

Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • delete boolean

    Deletes referenced saved object if all references are removed.

  • forId string | array[string]

    Limit the affected saved objects to one or more by identifier.

    One of:
    string-1 string array-2 array[string]
  • forType string

    Limit the affected saved objects by type.

  • fromId string Required

    The saved object reference to change.

  • fromType string

    Specify the type of the saved object reference to alter. The default value is index-pattern for data views.

  • toId string Required

    New saved object reference value to replace the old value.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
POST /api/data_views/swap_references 
curl \
 --request POST 'https://localhost:5601/api/data_views/swap_references' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"toId":"xyz-123","delete":true,"fromId":"abcd-efg"}'
Request example 
{
  "toId": "xyz-123",
  "delete": true,
  "fromId": "abcd-efg"
}
Response examples (200) 
{
  "deleteStatus": {
    "deletePerformed": true,
    "remainingRefs": 42
  },
  "result": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}

Logstash configuration management

Programmatically integrate with Logstash configuration management.

Do not directly access the .logstash index. The structure of the .logstash index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs.

Centralized pipeline management

Delete a role

DELETE /api/security/role/{name}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • name string Required

    Minimum length is 1.

Responses

  • 204

    Indicates a successful call.

DELETE /api/security/role/{name} 
curl \
 --request DELETE 'https://localhost:5601/api/security/role/{name}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Delete saved objects Deprecated

POST /api/saved_objects/_bulk_delete
Api key auth Basic auth

WARNING: When you delete a saved object, it cannot be recovered.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • force boolean

    When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation.

application/json

Body Required

object object

Responses

  • 200 application/json

    Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body.
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_delete 
curl \
 --request POST 'https://localhost:5601/api/saved_objects/_bulk_delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'
Request examples 
# Headers
kbn-xsrf: string

# Payload
[
  {}
]
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Get conversations

GET /api/security_ai_assistant/current_user/conversations/_find
Api key auth Basic auth

Get a list of all conversations for the current user.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • sort_field string

    Field to sort by

    Values are created_at, is_default, title, or updated_at.

  • sort_order string

    Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Conversations per page

    Minimum value is 0. Default value is 20.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Hide data attributes Show data attributes object
      • apiConfig object

        LLM API configuration.

        Hide apiConfig attributes Show apiConfig attributes object
      • category string Required

        The conversation category.

        Values are assistant or insights.

      • createdAt string Required

        The last time conversation was updated.

      • excludeFromLastConversationStorage boolean

        excludeFromLastConversationStorage.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • isDefault boolean

        Is default conversation.

      • messages array[object]

        The conversation messages.

        AI assistant conversation message.

        Hide messages attributes Show messages attributes object
        • content string Required

          Message content.

        • isError boolean

          Is error message.

        • metadata object

          metadata

          Hide metadata attribute Show metadata attribute object
        • reader object

          Message content.

          Additional properties are allowed.

        • role string Required

          Message role.

          Values are system, user, or assistant.

        • timestamp string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • traceData object

          trace Data

          Hide traceData attributes Show traceData attributes object
          • traceId string

            Could be any string, not necessarily a UUID

          • transactionId string

            Could be any string, not necessarily a UUID

      • namespace string Required

        Kibana space

      • replacements object

        Replacements object used to anonymize/deanomymize messsages

        Hide replacements attribute Show replacements attribute object
        • * string Additional properties
      • summary object
        Hide summary attributes Show summary attributes object
        • confidence string

          How confident you are about this being a correct and useful learning.

          Values are low, medium, or high.

        • content string

          Summary text of the conversation over time.

        • public boolean

          Define if summary is marked as publicly available.

        • timestamp string(nonempty)

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • title string Required

        The conversation title.

      • updatedAt string

        The last time conversation was updated.

      • users array[object] Required

        Could be any string, not necessarily a UUID

        Hide users attributes Show users attributes object
    • page integer Required
    • perPage integer Required
    • total integer Required
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/current_user/conversations/_find 
curl \
 --request GET 'https://localhost:5601/api/security_ai_assistant/current_user/conversations/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "apiConfig": {
        "actionTypeId": "string",
        "connectorId": "string",
        "defaultSystemPromptId": "string",
        "model": "string",
        "provider": "OpenAI"
      },
      "category": "assistant",
      "createdAt": "string",
      "excludeFromLastConversationStorage": true,
      "id": "string",
      "isDefault": true,
      "messages": [
        {
          "content": "string",
          "isError": true,
          "metadata": {
            "contentReferences": {}
          },
          "reader": {},
          "role": "system",
          "timestamp": "string",
          "traceData": {
            "traceId": "string",
            "transactionId": "string"
          }
        }
      ],
      "namespace": "string",
      "replacements": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      },
      "summary": {
        "confidence": "low",
        "content": "string",
        "public": true,
        "timestamp": "string"
      },
      "timestamp": "string",
      "title": "string",
      "updatedAt": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ]
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get prompts

GET /api/security_ai_assistant/prompts/_find
Api key auth Basic auth

Get a list of all prompts.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • sort_field string

    Field to sort by

    Values are created_at, is_default, name, or updated_at.

  • sort_order string

    Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Prompts per page

    Minimum value is 0. Default value is 20.

Responses

GET /api/security_ai_assistant/prompts/_find 
curl \
 --request GET 'https://localhost:5601/api/security_ai_assistant/prompts/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "categories": [
        "string"
      ],
      "color": "string",
      "consumer": "string",
      "content": "string",
      "createdAt": "string",
      "createdBy": "string",
      "id": "string",
      "isDefault": true,
      "isNewConversationDefault": true,
      "name": "string",
      "namespace": "string",
      "promptType": "system",
      "timestamp": "string",
      "updatedAt": "string",
      "updatedBy": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ]
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Set a detection alert status

POST /api/detection_engine/signals/status
Api key auth Basic auth

Set the status of one or more detection alerts.

application/json

Body object Required

An object containing desired status and explicit alert ids or a query to select alerts

One of:
Security_Detections_API_SetAlertsStatusByIds object Security_Detections_API_SetAlertsStatusByQuery object
  • signal_ids array[string(nonempty)] Required

    List of alert ids.

    At least 1 element. Minimum length of each is 1.

  • status string Required

    The status of an alert, which can be open, acknowledged, in-progress, or closed.

    Values are open, closed, acknowledged, or in-progress.

Responses

POST /api/detection_engine/signals/status 
curl \
 --request POST 'https://localhost:5601/api/detection_engine/signals/status' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"status":"closed","signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"]}'
Request examples 
{
  "status": "closed",
  "signal_ids": [
    "80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"
  ]
}
{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "range": null,
          "@timestamp": {
            "gte": "2024-10-23T07:00:00.000Z",
            "lte": "2025-01-21T20:12:11.704Z",
            "format": "strict_date_optional_time"
          }
        },
        {
          "bool": {
            "filter": {
              "bool": {
                "must": [],
                "filter": [
                  {
                    "match_phrase": {
                      "kibana.alert.workflow_status": "open"
                    }
                  },
                  {
                    "range": null,
                    "@timestamp": {
                      "gte": "2024-10-23T07:00:00.000Z",
                      "lte": "2025-01-21T20:12:11.704Z",
                      "format": "strict_date_optional_time"
                    }
                  }
                ],
                "should": [],
                "must_not": [
                  {
                    "exists": {
                      "field": "kibana.alert.building_block_type"
                    }
                  }
                ]
              }
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "status": "closed",
  "conflicts": "proceed"
}
Response examples (200) 
{
  "took": 81,
  "noops": 0,
  "total": 1,
  "batches": 1,
  "deleted": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "updated": 1,
  "failures": [],
  "timed_out": false,
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0
}
{
  "took": 100,
  "noops": 0,
  "total": 17,
  "batches": 1,
  "deleted": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "updated": 17,
  "failures": [],
  "timed_out": false,
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

Create an endpoint exception list

POST /api/endpoint_list
Api key auth Basic auth

Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.

Responses

  • 200 application/json

    Successful response

    One of:
    Security_Endpoint_Exceptions_API_ExceptionList object object-2 object
    Hide attributes Show attributes
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • id string(nonempty) Required

      Exception list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the list container.

      Additional properties are allowed.

    • name string Required

      The name of the exception list.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system. Only enter one value.

      Values are linux, macos, or windows.

    • tags array[string]

      String array containing words and phrases to help categorize exception containers.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      The type of exception list to be created. Different list types may denote where they can be utilized.

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version, automatically increasd on updates.

      Minimum value is 1.
  • 400 application/json

    Invalid input data

    One of:
    Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
POST /api/endpoint_list 
curl \
 --request POST 'https://localhost:5601/api/endpoint_list' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "_version": "string",
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "description": "This list tracks allowlisted values.",
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "immutable": true,
  "list_id": "simple_list",
  "meta": {},
  "name": "My exception list",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "version": 42
}
{}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

Release an isolated endpoint

POST /api/endpoint/action/unisolate
Api key auth Basic auth

Release an isolated endpoint, allowing it to rejoin a network.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/unisolate 
curl \
 --request POST 'https://localhost:5601/api/endpoint/action/unisolate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Benign process identified, releasing group","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}'
Request examples 
{
  "comment": "Benign process identified, releasing group",
  "endpoint_ids": [
    "9972d10e-4b9e-41aa-a534-a85e2a28ea42",
    "bc0e4f0c-3bca-4633-9fee-156c0b505d16",
    "fa89271b-b9d4-43f2-a684-307cffddeb5a"
  ]
}
{
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
{
  "comment": "Remediation complete, restoring network",
  "case_ids": [
    "4976be38-c134-4554-bd5e-0fd89ce63667"
  ],
  "endpoint_ids": [
    "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0",
    "b30a11bf-1395-4707-b508-fbb45ef9793e"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "suspend-process",
    "comment": "suspend the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  },
  "action": "233db9ea-6733-4849-9226-5a7039c7161d"
}

Release an isolated endpoint Deprecated

POST /api/endpoint/unisolate
Api key auth Basic auth

Release an isolated endpoint, allowing it to rejoin a network.

This URL will return a 308 permanent redirect to POST <kibana host>:<port>/api/endpoint/action/unisolate.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
  • 308

    Permanent Redirect

    Hide headers attribute Show headers attribute
    • Location string

      Permanently redirects to "/api/endpoint/action/unisolate"

POST /api/endpoint/unisolate 
curl \
 --request POST 'https://localhost:5601/api/endpoint/unisolate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["case-id-1","case-id-2"],"comment":"This is a comment","endpoint_ids":["endpoint-id-1","endpoint-id-2"],"parameters":{}}'
Request examples 
{
  "agent_type": "endpoint",
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "case-id-1",
    "case-id-2"
  ],
  "comment": "This is a comment",
  "endpoint_ids": [
    "endpoint-id-1",
    "endpoint-id-2"
  ],
  "parameters": {}
}
Response examples (200) 
{}

Get an asset criticality record

GET /api/asset_criticality
Api key auth Basic auth

Get the asset criticality record for a specific entity.

Query parameters

  • id_value string Required

    The ID value of the asset.

  • id_field string Required

    The field representing the ID.

    Values are host.name, user.name, or service.name.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object

    The deleted record if it existed.

    • id_field string Required

      Values are host.name, user.name, or service.name.

    • id_value string Required

      The ID value of the asset.

    • criticality_level string Required

      The criticality level of the asset.

      Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • asset object Required
      Hide asset attribute Show asset attribute object
      • criticality string

        The criticality level of the asset.

        Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • host object
      Hide host attributes Show host attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • service object
      Hide service attributes Show service attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • user object
      Hide user attributes Show user attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • @timestamp string(date-time) Required

      The time the record was created or updated.
  • 400

    Invalid request

  • 404

    Criticality record not found

GET /api/asset_criticality 
curl \
 --request GET 'https://localhost:5601/api/asset_criticality?id_value=my_host&id_field=host.name' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "host": {
    "name": "my_host",
    "asset": {
      "criticality": "high_impact"
    }
  },
  "asset": {
    "criticality": "high_impact"
  },
  "id_field": "host.name",
  "id_value": "my_host",
  "@timestamp": "2024-08-02T11:15:34.290Z",
  "criticality_level": "high_impact"
}

Bulk upsert asset criticality records

POST /api/asset_criticality/bulk
Api key auth Basic auth

Bulk upsert up to 1000 asset criticality records.

If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created.

application/json

Body

  • records array[object] Required

    At least 1 but not more than 1000 elements.

    Hide records attributes Show records attributes object
    • id_field string Required

      Values are host.name, user.name, or service.name.

    • id_value string Required

      The ID value of the asset.

    • criticality_level string Required

      The criticality level of the asset.

      Values are low_impact, medium_impact, high_impact, or extreme_impact.

Responses

  • 200 application/json

    Bulk upload successful

    Hide response attributes Show response attributes object
  • 413

    File too large

POST /api/asset_criticality/bulk 
curl \
 --request POST 'https://localhost:5601/api/asset_criticality/bulk' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"records":[{"id_field":"host.name","id_value":"host-1","criticality_level":"low_impact"},{"id_field":"host.name","id_value":"host-2","criticality_level":"medium_impact"}]}'
Request example 
{
  "records": [
    {
      "id_field": "host.name",
      "id_value": "host-1",
      "criticality_level": "low_impact"
    },
    {
      "id_field": "host.name",
      "id_value": "host-2",
      "criticality_level": "medium_impact"
    }
  ]
}
Response examples (200) 
{
  "stats": {
    "total": 2,
    "failed": 1,
    "successful": 1
  },
  "errors": [
    {
      "index": 0,
      "message": "Invalid ID field"
    }
  ]
}

Delete a value list item

DELETE /api/lists/items
Api key auth Basic auth

Delete a value list item using its id, or its list_id and value fields.

Query parameters

  • id string(nonempty)

    Value list item's identifier. Required if list_id and value are not specified.

    Minimum length is 1.

  • list_id string(nonempty)

    Value list's identifier. Required if id is not specified.

    Minimum length is 1.

  • value string

    The value used to evaluate exceptions. Required if id is not specified.

  • refresh string

    Determines when changes made by the request are made visible to search.

    Values are true, false, or wait_for. Default value is false.

Responses

  • 200 application/json

    Successful response

    One of:
    Security_Lists_API_ListItem object array-2 array[object]
    Hide attributes Show attributes
    • _version string

      The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

    • @timestamp string(date-time)
    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • deserializer string

      Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

      • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
      • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
      • {{{gte}}},{{{lte}}} - Date range values.
    • id string(nonempty) Required

      Value list item's identifier.

      Minimum length is 1.

    • list_id string(nonempty) Required

      Value list's identifier.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the value list item.

      Additional properties are allowed.

    • serializer string

      Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

      • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
      • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

      • keyword: Many ECS fields are Elasticsearch keywords
      • ip: IP addresses
      • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

      Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • value string(nonempty) Required

      The value used to evaluate exceptions.

      Minimum length is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    List item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/lists/items 
curl \
 --request DELETE 'https://localhost:5601/api/lists/items' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "pd1WRJQBs4HAK3VQeHFI",
  "type": "ip",
  "value": "255.255.255.255",
  "list_id": "ip_list",
  "_version": "WzIwLDFd",
  "@timestamp": "2025-01-08T05:15:05.159Z",
  "created_at": "2025-01-08T05:15:05.159Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:44:14.009Z",
  "updated_by": "elastic",
  "tie_breaker_id": "eee41dc7-1666-4876-982f-8b0f7b59eca3"
}
Response examples (400) 
{
  "message": "Either \\\"list_id\\\" or \\\"id\\\" needs to be defined in the request",
  "status_code": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "list item with id: \\\"pd1WRJQBs4HAK3VQeHFI\\\" not found",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Security Osquery

Run live queries, manage packs and saved queries.

Delete an SLO

DELETE /s/{spaceId}/api/observability/slos/{sloId}
Api key auth Basic auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • spaceId string Required

    An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.

  • sloId string Required

    An identifier for the slo.

Responses

  • 204

    Successful request

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
DELETE /s/{spaceId}/api/observability/slos/{sloId} 
curl \
 --request DELETE 'https://localhost:5601/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}