Path parameters

• ruleId string Required

  An identifier for the rule.

Responses

• 200 application/json; Elastic-Api-Version=2023-10-31

  Indicates a successful call.

  Hide response attributes Show response attributes object

  • actions array[object] | null Required

    Default value is [] (empty).

    Hide actions attributes Show actions attributes object

    An action that runs under defined conditions.

    • alerts_filter object

      Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.

      Hide alerts_filter attributes Show alerts_filter attributes object

      • query object

        Defines a query filter that determines whether the action runs.

        Hide query attributes Show query attributes object

        • filters array[object]
          Hide filters attributes Show filters attributes object

          A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

          • $state object
          • meta object
            Hide meta attributes Show meta attributes object

            • alias string | null
            • controlledBy string
            • disabled boolean
            • field string
            • group string
            • index string
            • isMultiIndex boolean
            • key string
            • negate boolean
            • params object
            • type string
            • value string
          • query object
        • kql string

          A filter written in Kibana Query Language (KQL).

      • timeframe object

        Defines a period that limits whether the action runs.

        Hide timeframe attributes Show timeframe attributes object

        • days array[integer]

          Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

        • hours object

          Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.

          Hide hours attributes Show hours attributes object

          • end string

            The end of the time frame in 24-hour notation (hh:mm).

          • start string

            The start of the time frame in 24-hour notation (hh:mm).

        • timezone string

          The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

    • connector_type_id string

      The type of connector. This property appears in responses but cannot be set in requests.

    • frequency object

      The properties that affect how often actions are generated. If the rule type supports setting summary to true, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters when notify_when or throttle are defined at the rule level.

      Hide frequency attributes Show frequency attributes object

      • notify_when string Required

        Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

        Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

      • summary boolean Required

        Indicates whether the action is a summary.

      • throttle string | null

        The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • group string Required

      The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

    • id string Required

      The identifier for the connector saved object.

    • params object Required

      The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

      Hide params attribute Show params attribute object

      • Additional properties are allowed
    • uuid string

      A universally unique identifier (UUID) for the action.

  • alert_delay object

    Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

    Hide alert_delay attribute Show alert_delay attribute object

    • active number Required

      The number of consecutive runs that must meet the rule conditions.

  • api_key_created_by_user boolean

    Indicates whether the API key that is associated with the rule was created by the user.

  • api_key_owner string | null Required

    The owner of the API key that is associated with the rule and used to run background tasks.

  • consumer string Required

    The application or feature that owns the rule. For example, alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

  • created_at string(date-time) Required

    The date and time that the rule was created.

  • created_by string | null Required

    The identifier for the user that created the rule.

  • enabled boolean Required

    Indicates whether the rule is currently enabled.

  • execution_status object Required
    Hide execution_status attributes Show execution_status attributes object

    • last_duration integer
    • last_execution_date string(date-time)
    • status string
  • id string Required

    The identifier for the rule.

  • last_run object
    Hide last_run attributes Show last_run attributes object

    • alerts_count object
      Hide alerts_count attributes Show alerts_count attributes object

      • active integer
      • ignored integer
      • new integer
      • recovered integer
    • outcome string
    • outcome_msg array[string] | null
    • outcome_order integer
    • warning string | null
  • mute_all boolean Required
  • muted_alert_ids array[string] | null Required
  • name string Required

    The name of the rule.

  • next_run string(date-time) | null
  • notify_when string | null

    Indicates how often alerts generate actions.

  • params object Required

    The parameters for the rule.

    Hide params attribute Show params attribute object

    • Additional properties are allowed
  • revision integer

    The rule revision number.

  • rule_type_id string Required

    The identifier for the type of rule. For example, .es-query, .index-threshold, logs.alert.document.count, monitoring_alert_cluster_health, siem.thresholdRule, or xpack.ml.anomaly_detection_alert.

  • running boolean

    Indicates whether the rule is running.

  • schedule object Required

    The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.

    Hide schedule attribute Show schedule attribute object

    • interval string
  • scheduled_task_id string
  • tags array[string] Required

    The tags for the rule.

    Default value is [] (empty).

  • throttle string | null Required Deprecated

    Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

  • updated_at string Required

    The date and time that the rule was updated most recently.

  • updated_by string | null Required

    The identifier for the user that updated this rule most recently.

• 401 application/json; Elastic-Api-Version=2023-10-31

  Authorization information is missing or invalid.

  Hide response attributes Show response attributes object

  • error string

    Value is Unauthorized.

  • message string
  • statusCode integer

    Value is 401.

• 404 application/json; Elastic-Api-Version=2023-10-31

  Object is not found.

  Hide response attributes Show response attributes object

  • error string

    Value is Not Found.

  • message string
  • statusCode integer

    Value is 404.