Run a connector

POST /api/actions/connector/{connectorId}/_execute

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. If you use an index connector, you must also have all, create, index, or write indices privileges.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

connectorId string Required

An identifier for the connector.

application/json; Elastic-Api-Version=2023-10-31

Body Required

The properties vary depending on the connector type.

params object Required
One of:
Connectors_run_connector_params_acknowledge_resolve_pagerduty object Connectors_run_connector_params_documents object object-1 object object-2 object object-3 object Connectors_run_connector_params_message_serverlog object Connectors_run_connector_params_message_slack object Connectors_run_connector_params_trigger_pagerduty object Connectors_run_connector_subaction_addevent object Connectors_run_connector_subaction_closealert object Connectors_run_connector_subaction_closeincident object Connectors_run_connector_subaction_createalert object Connectors_run_connector_subaction_fieldsbyissuetype object Connectors_run_connector_subaction_getchoices object Connectors_run_connector_subaction_getfields object Connectors_run_connector_subaction_getincident object Connectors_run_connector_subaction_issue object Connectors_run_connector_subaction_issues object Connectors_run_connector_subaction_issuetypes object Connectors_run_connector_subaction_postmessage object Connectors_run_connector_subaction_pushtoservice object Connectors_run_connector_subaction_validchannelid object
Test an action that acknowledges or resolves a PagerDuty alert.
Hide attributes Show attributes

dedupKey string Required

The deduplication key for the PagerDuty alert.

Maximum length is 255.

eventAction string Required

The type of event.

Values are acknowledge or resolve.
Test an action that indexes a document into Elasticsearch.
Hide attribute Show attribute

documents array[object] Required

The documents in JSON format for index connectors.

Hide documents attribute Show documents attribute object

Additional properties are allowed
Hide attributes Show attributes

bcc array[string] Required

A list of "blind carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format

cc array[string]

A list of "carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format

message string Required

The email message text. Markdown format is supported.

subject string Required

The subject line of the email.

to array[string]

A list of email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format.
Hide attributes Show attributes

bcc array[string]

A list of "blind carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format

cc array[string] Required

A list of "carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format

message string Required

The email message text. Markdown format is supported.

subject string Required

The subject line of the email.

to array[string]

A list of email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format.
Hide attributes Show attributes

bcc array[string]

A list of "blind carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format

cc array[string]

A list of "carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format

message string Required

The email message text. Markdown format is supported.

subject string Required

The subject line of the email.

to array[string] Required

A list of email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format.
Test an action that writes an entry to the Kibana server log.
Hide attributes Show attributes

level string

The log level of the message for server log connectors.

Values are debug, error, fatal, info, trace, or warn. Default value is info.

message string Required

The message for server log connectors.
Test an action that sends a message to Slack. It is applicable only when the connector type is .slack.
Hide attribute Show attribute

message string Required

The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
Test an action that triggers a PagerDuty alert.
Hide attributes Show attributes

class string

The class or type of the event.

component string

The component of the source machine that is responsible for the event.

customDetails object

Additional details to add to the event.

dedupKey string

All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution.

Maximum length is 255.

eventAction string Required

The type of event.

Value is trigger.

group string

The logical grouping of components of a service.

links array[object]

A list of links to add to the event.

Hide links attributes Show links attributes object

href string

The URL for the link.

text string

A plain text description of the purpose of the link.

severity string

The severity of the event on the affected system.

Values are critical, error, info, or warning. Default value is info.

source string

The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action.

summary string

A summery of the event.

Maximum length is 1024.

timestamp string(date-time)

An ISO-8601 timestamp that indicates when the event was detected or generated.
The addEvent subaction for ServiceNow ITOM connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is addEvent.

subActionParams object

The set of configuration properties for the action.

Hide subActionParams attributes Show subActionParams attributes object

additional_info string

Additional information about the event.

description string

The details about the event.

event_class string

A specific instance of the source.

message_key string

All actions sharing this key are associated with the same ServiceNow alert. The default value is <rule ID>:<alert instance ID>.

metric_name string

The name of the metric.

node string

The host that the event was triggered for.

resource string

The name of the resource.

severity string

The severity of the event.

source string

The name of the event source type.

time_of_event string

The time of the event.

type string

The type of event.
The closeAlert subaction for Opsgenie connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is closeAlert.

subActionParams object Required

Hide subActionParams attributes Show subActionParams attributes object

alias string Required

The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert.

note string

Additional information for the alert.

source string

The display name for the source of the alert.

user string

The display name for the owner.
The closeIncident subaction for ServiceNow ITSM connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is closeIncident.

subActionParams object Required

Hide subActionParams attribute Show subActionParams attribute object

incident object Required

Any of:
object-1 object object-2 object

Hide attributes Show attributes

correlation_id string | null Required

An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID.

Maximum length is 100. Default value is {{rule.id}}:{{alert.id}}.

externalId string | null

The unique identifier (incidentId) for the incident in ServiceNow.

Hide attributes Show attributes

correlation_id string | null

An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID.

Maximum length is 100. Default value is {{rule.id}}:{{alert.id}}.

externalId string | null Required

The unique identifier (incidentId) for the incident in ServiceNow.
The createAlert subaction for Opsgenie connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is createAlert.

subActionParams object Required

Hide subActionParams attributes Show subActionParams attributes object

actions array[string]

The custom actions available to the alert.

alias string

The unique identifier used for alert deduplication in Opsgenie.

description string

A description that provides detailed information about the alert.

details object

The custom properties of the alert.

Hide details attribute Show details attribute object

Additional properties are allowed

entity string

The domain of the alert. For example, the application or server name.

message string Required

The alert message.

note string

Additional information for the alert.

priority string

The priority level for the alert.

Values are P1, P2, P3, P4, or P5.

responders array[object]

The entities to receive notifications about the alert. If type is user, either id or username is required. If type is team, either id or name is required.

Hide responders attributes Show responders attributes object

id string

The identifier for the entity.

name string

The name of the entity.

type string

The type of responders, in this case escalation.

Values are escalation, schedule, team, or user.

username string

A valid email address for the user.

source string

The display name for the source of the alert.

tags array[string]

The tags for the alert.

user string

The display name for the owner.

visibleTo array[object]

The teams and users that the alert will be visible to without sending a notification. Only one of id, name, or username is required.

Hide visibleTo attributes Show visibleTo attributes object

id string

The identifier for the entity.

name string

The name of the entity.

type string Required

Valid values are team and user.

Values are team or user.

username string

The user name. This property is required only when the type is user.
The fieldsByIssueType subaction for Jira connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is fieldsByIssueType.

subActionParams object Required

Hide subActionParams attribute Show subActionParams attribute object

id string Required

The Jira issue type identifier.
The getChoices subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is getChoices.

subActionParams object Required

The set of configuration properties for the action.

Hide subActionParams attribute Show subActionParams attribute object

fields array[string] Required

An array of fields.
The getFields subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
Hide attribute Show attribute

subAction string Required

The action to test.

Value is getFields.
The getIncident subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is getIncident.

subActionParams object Required

Hide subActionParams attribute Show subActionParams attribute object

externalId string Required

The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier.
The issue subaction for Jira connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is issue.

subActionParams object

Hide subActionParams attribute Show subActionParams attribute object

id string Required

The Jira issue identifier.
The issues subaction for Jira connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is issues.

subActionParams object Required

Hide subActionParams attribute Show subActionParams attribute object

title string Required

The title of the Jira issue.
The issueTypes subaction for Jira connectors.
Hide attribute Show attribute

subAction string Required

The action to test.

Value is issueTypes.
Test an action that sends a message to Slack. It is applicable only when the connector type is .slack_api.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is postMessage.

subActionParams object Required

The set of configuration properties for the action.

Hide subActionParams attributes Show subActionParams attributes object

channelIds array[string]

The Slack channel identifier, which must be one of the allowedChannels in the connector configuration.

Not more than 1 element.

channels array[string] Deprecated

The name of a channel that your Slack app has access to.

Not more than 1 element.

text string

The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages.

Minimum length is 1.
The pushToService subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, and Webhook - Case Management connectors.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is pushToService.

subActionParams object Required

The set of configuration properties for the action.

Hide subActionParams attributes Show subActionParams attributes object

comments array[object]

Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, or Swimlane.

Hide comments attributes Show comments attributes object

comment string

A comment related to the incident. For example, describe how to troubleshoot the issue.

commentId integer

A unique identifier for the comment.

incident object

Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, or Swimlane incident.

Hide incident attributes Show incident attributes object

alertId string

The alert identifier for Swimlane connectors.

caseId string

The case identifier for the incident for Swimlane connectors.

caseName string

The case name for the incident for Swimlane connectors.

category string

The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.

correlation_display string

A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors.

correlation_id string

The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as {{ruleID}}:{{alert ID}} to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of {{ruleID}}:{{alert ID}} ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.

description string

The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, and Webhook - Case Management connectors.

dest_ip string | array[string]

A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.

One of:
string-1 string array-2 array[string]

externalId string

The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.

id string

The external case identifier for Webhook - Case Management connectors.

impact string

The impact of the incident for ServiceNow ITSM connectors.

issueType integer

The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set subAction to issueTypes.

labels array[string]

The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces.

malware_hash string | array[string]

A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident.

One of:
string-1 string array-2 array[string]

malware_url string | array[string]

A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident.

One of:
string-1 string array-2 array[string]

otherFields object

Custom field identifiers and their values for Jira connectors.

Hide otherFields attribute Show otherFields attribute object

Additional properties are allowed

parent string

The ID or key of the parent issue for Jira connectors. Applies only to Sub-task types of issues.

priority string

The priority of the incident in Jira and ServiceNow SecOps connectors.

ruleName string

The rule name for Swimlane connectors.

severity string

The severity of the incident for ServiceNow ITSM and Swimlane connectors.

short_description string

A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base.

source_ip string | array[string]

A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.

One of:
string-1 string array-2 array[string]

status string

The status of the incident for Webhook - Case Management connectors.

subcategory string

The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.

summary string

A summary of the incident for Jira connectors.

tags array[string]

A list of tags for Webhook - Case Management connectors.

title string

A title for the incident for Jira and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base.

urgency string

The urgency of the incident for ServiceNow ITSM connectors.
Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is .slack_api.
Hide attributes Show attributes

subAction string Required

The action to test.

Value is validChannelId.

subActionParams object Required

Hide subActionParams attribute Show subActionParams attribute object

channelId string Required

The Slack channel identifier.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- connector_id string Required
  
  The identifier for the connector.
- data object | array[object]
  
  One of:
  object-1 object array-2 array[object]
  
  An array of information returned from the action.
- status string Required
  
  The status of the action.
  
  Values are error or ok.
401 application/json; Elastic-Api-Version=2023-10-31

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

POST /api/actions/connector/{connectorId}/_execute

curl \
 -X POST https://localhost:5601/api/actions/connector/df770e30-8b8b-11ed-a780-3b746c987a81/_execute \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"

Request examples

{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "comments": [
        {
          "comment": "A comment about the incident.",
          "commentId": 1
        }
      ],
      "incident": {
        "id": "caseID",
        "tags": [
          "tag1",
          "tag2"
        ],
        "title": "Case title",
        "status": "open",
        "severity": "low",
        "description": "Description of the incident."
      }
    }
  }
}

{
  "params": {
    "cc": [
      "user2@example.com",
      "user3@example.com"
    ],
    "to": [
      "user4@example.com"
    ],
    "bcc": [
      "user1@example.com"
    ],
    "message": "Test email message.",
    "subject": "Test message subject"
  }
}

{
  "params": {
    "documents": [
      {
        "id": "my_doc_id",
        "name": "my_doc_name",
        "message": "hello, world"
      }
    ]
  }
}

{
  "params": {
    "subAction": "issueTypes"
  }
}

{
  "params": {
    "links": [
      {
        "href": "http://example.com/pagerduty",
        "text": "An example link"
      }
    ],
    "summary": "A brief event summary",
    "eventAction": "trigger",
    "customDetails": {
      "my_data_1": "test data"
    }
  }
}

{
  "params": {
    "level": "warn",
    "message": "Test warning message."
  }
}

{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [
        "severity",
        "urgency"
      ]
    }
  }
}

{
  "params": {
    "subAction": "postMessage",
    "subActionParams": {
      "text": "A test message.",
      "channelIds": [
        "C123ABC456"
      ]
    }
  }
}

{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "comments": [
        {
          "comment": "A comment about the incident.",
          "commentId": 1
        }
      ],
      "incident": {
        "caseId": "1000",
        "caseName": "Case name",
        "description": "Description of the incident."
      }
    }
  }
}

Response examples (200)

{
  "data": {
    "id": 100665,
    "url": "https://example.com/browse/TEST-29034",
    "title": "TEST-29034",
    "comments": [
      {
        "commentId": 1,
        "pushedDate": "2023-12-05T19:43:36.360Z"
      }
    ],
    "pushedDate": "2023-12-05T19:43:36.360Z"
  },
  "status": "ok",
  "connector_id": "1824b5b8-c005-4dcc-adac-57f92db46459"
}

{
  "data": {
    "accepted": [
      "user1@example.com",
      "user2@example.com",
      "user3@example.com",
      "user4@example.com"
    ],
    "envelope": {
      "to": [
        "user1@example.com",
        "user2@example.com",
        "user3@example.com",
        "user4@example.com"
      ],
      "from": "tester@example.com"
    },
    "rejected": [],
    "response": "250 Message queued as QzEXKcGJ",
    "messageId": "<08a92d29-642a-0706-750c-de5996bd5cf3@example.com>",
    "messageSize": 729,
    "messageTime": 3,
    "envelopeTime": 8
  },
  "status": "ok",
  "connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}

{
  "data": {
    "took": 135,
    "items": [
      {
        "create": {
          "_id": "4JtvwYUBrcyxt2NnfW3y",
          "_index": "my-index",
          "result": "created",
          "status": 201,
          "_seq_no": 0,
          "_shards": {
            "total": 2,
            "failed": 0,
            "successful": 1
          },
          "_version": 1,
          "_primary_term": 1
        }
      }
    ],
    "errors": false
  },
  "status": "ok",
  "connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}

{
  "data": [
    {
      "id": 10024,
      "name": "Improvement"
    },
    {
      "id": 10006,
      "name": "Task"
    },
    {
      "id": 10007,
      "name": "Sub-task"
    },
    {
      "id": 10025,
      "name": "New Feature"
    },
    {
      "id": 10023,
      "name": "Bug"
    },
    {
      "id": 10000,
      "name": "Epic"
    }
  ],
  "status": "ok",
  "connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}

{
  "data": {
    "status": "success",
    "message": "Event processed",
    "dedup_key": "5115e138b26b484a81eaea779faa6016"
  },
  "status": "ok",
  "connector_id": "45de9f70-954f-4608-b12a-db7cf808e49d"
}

{
  "status": "ok",
  "connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}

{
  "data": [
    {
      "label": "Critical",
      "value": 1,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Major",
      "value": 2,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Minor",
      "value": 3,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Warning",
      "value": 4,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "OK",
      "value": 5,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Clear",
      "value": 0,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "1 - High",
      "value": 1,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "2 - Medium",
      "value": 2,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "3 - Low",
      "value": 3,
      "element": "urgency",
      "dependent_value": ""
    }
  ],
  "status": "ok",
  "connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}

{
  "data": {
    "ok": true,
    "ts": "1234567890.123456",
    "channel": "C123ABC456",
    "message": {
      "ts": "1234567890.123456",
      "team": "T01ABCDE2F",
      "text": "A test message",
      "type": "message",
      "user": "U12A345BC6D",
      "app_id": "A01BC2D34EF",
      "blocks": [
        {
          "type": "rich_text",
          "block_id": "/NXe",
          "elements": [
            {
              "type": "rich_text_section",
              "elements": [
                {
                  "text": "A test message.",
                  "type": "text"
                }
              ]
            }
          ]
        }
      ],
      "bot_id": "B12BCDEFGHI",
      "bot_profile": {
        "id": "B12BCDEFGHI",
        "name": "test",
        "icons": {
          "image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
        },
        "app_id": "A01BC2D34EF",
        "deleted": false,
        "team_id": "T01ABCDE2F",
        "updated": 1672169705
      }
    }
  },
  "status": "ok",
  "connector_id": ".slack_api"
}

{
  "data": {
    "id": "aKPmBHWzmdRQtx6Mx",
    "url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
    "title": "TEST-457",
    "comments": [
      {
        "commentId": 1,
        "pushedDate": "2022-09-08T16:52:27.865Z"
      }
    ],
    "pushedDate": "2022-09-08T16:52:27.866Z"
  },
  "status": "ok",
  "connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Run a connector

Headers

Path parameters

Body Required

params object Required

dest_ip string | array[string]

malware_hash string | array[string]

malware_url string | array[string]

source_ip string | array[string]

Responses

data object | array[object]