Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Kibana APIs
1.0.2
Base URL
http://localhost:5622
http://localhost:5622The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- PATCH: Applies partial modifications to the existing information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with kbn: and run the request in Dev Tools → Console.
For example:
GET kbn:/api/data_views
For more information about the console, refer to Run API requests.
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
Documentation source and versions
This documentation is derived from the 9.0 branch of the kibana repository.
It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This documentation contains work-in-progress information for future Elastic Stack releases.
This is version 1.0.2 of this API documentation.
Last update on Mar 26, 2025.
Servers
| Base URL | Description |
|---|---|
| http://localhost:5622 | |
| https://localhost:5601 | |
| https://localhost:5601 |
Authentication
The API accepts 2 different authentication methods:
Basic auth (http)
Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a : colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
Alerting
Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.
Path parameters
-
id
string Required The identifier for the rule.
Body
-
actions
array[object] An action that runs under defined conditions.
Default value is
[](empty). -
alert_delay
object Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Additional properties are NOT allowed.
-
flapping
object | null When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
Additional properties are NOT allowed.
-
name
string Required The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when
string | null Indicates how often alerts generate actions. Valid values include:
onActionGroupChange: Actions run when the alert status changes;onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_whenat both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange,onActiveAlert, oronThrottleInterval. -
params
object The parameters for the rule.
Default value is
{}(empty). Additional properties are allowed. -
schedule
object Required Additional properties are NOT allowed.
-
throttle
string | null Use the
throttleproperty in the actionfrequencyobject instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
PUT
/api/alerting/rule/{id}
curl \
--request PUT 'http://localhost:5622/api/alerting/rule/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"new name","tags":[],"params":{"index":[".updated-index"],"aggType":"avg","groupBy":"top","aggField":"sheet.version","termSize":6,"termField":"name.keyword","threshold":[1000],"timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m","thresholdComparator":"\u003e"},"actions":[{"id":"96b668d0-a1b6-11ed-afdf-d39a49596974","group":"threshold met","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"frequency":{"summary":false,"notify_when":"onActionGroupChange"}}],"schedule":{"interval":"1m"}}'
Request example
Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.
{
"name": "new name",
"tags": [],
"params": {
"index": [
".updated-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"schedule": {
"interval": "1m"
}
}
Response examples (200)
The response for successfully updating an index threshold rule.
{
"id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
"name": "new name",
"tags": [],
"params": {
"index": [
".updated-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2024-03-26T23:23:51.316Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2024-03-26T23:13:20.985Z",
"created_by": "elastic",
"updated_at": "2024-03-26T23:22:59.949Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 52,
"last_execution_date": "2024-03-26T23:22:51.390Z"
},
"scheduled_task_id": "4c5eda00-e74f-11ec-b72f-5b18752ff9ea",
"api_key_created_by_user": false
}Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_enable
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{id}/_enable' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_unmute_all
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{id}/_unmute_all' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_update_api_key
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{id}/_update_api_key' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
POST
/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"APM agent configuration
Adjust APM agent configuration without need to redeploy your application.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
environment
string Environment
-
name
string Name
DELETE
/api/apm/settings/agent-configuration
curl \
--request DELETE 'http://localhost:5622/api/apm/settings/agent-configuration' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"environment":"prod","name":"node"}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"environment": "prod",
"name": "node"
}
Response examples (200)
{
"result": "string"
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Get agent name for service
Retrieve agentName for a service.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
Query parameters
-
serviceName
string Required The name of the service
GET
/api/apm/settings/agent-configuration/agent_name
curl \
--request GET 'http://localhost:5622/api/apm/settings/agent-configuration/agent_name?serviceName=node' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"agentName": "nodejs"
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Get environments for service
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
Query parameters
-
serviceName
string The name of the service
GET
/api/apm/settings/agent-configuration/environments
curl \
--request GET 'http://localhost:5622/api/apm/settings/agent-configuration/environments' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"environments": [
{
"alreadyConfigured": true,
"name": "ALL_OPTION_VALUE"
}
]
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Search for annotations
Search for annotations related to a specific service.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
Path parameters
-
serviceName
string Required The name of the service
Query parameters
-
environment
string The environment to filter annotations by
-
start
string The start date for the search
-
end
string The end date for the search
GET
/api/apm/services/{serviceName}/annotation/search
curl \
--request GET 'http://localhost:5622/api/apm/services/{serviceName}/annotation/search' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"annotations": [
{
"@timestamp": 42.0,
"id": "string",
"text": "string",
"type": "version"
}
]
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}Get source maps
Get an array of Fleet artifacts, including source map uploads. You must have read or all Kibana privileges for the APM and User Experience feature.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
GET
/api/apm/sourcemaps
curl -X GET "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}'
Response examples (200)
A successful response from `GET /api/apm/sourcemaps`.
{
"artifacts": [
{
"type": "sourcemap",
"identifier": "foo-1.0.0",
"relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"body": {
"serviceName": "foo",
"serviceVersion": "1.0.0",
"bundleFilepath": "/test/e2e/general-usecase/bundle.js",
"sourceMap": {
"version": 3,
"file": "static/js/main.chunk.js",
"sources": [
"fleet-source-map-client/src/index.css",
"fleet-source-map-client/src/App.js",
"webpack:///./src/index.css?bb0a",
"fleet-source-map-client/src/index.js",
"fleet-source-map-client/src/reportWebVitals.js"
],
"sourcesContent": [
"content"
],
"mappings": "mapping",
"sourceRoot": ""
}
},
"created": "2021-07-09T20:47:44.812Z",
"id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"compressionAlgorithm": "zlib",
"decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"decodedSize": 441,
"encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
"encodedSize": 237,
"encryptionAlgorithm": "none",
"packageName": "apm"
}
]
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Response examples (501)
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}Upload a source map
Upload a source map for a specific service and version. You must have all Kibana privileges for the APM and User Experience feature.
The maximum payload size is 1mb. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the server.maxPayload variable.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
bundle_filepath
string Required The absolute path of the final bundle as used in the web application.
-
service_name
string Required The name of the service that the service map should apply to.
-
service_version
string Required The version of the service that the service map should apply to.
-
sourcemap
string(binary) Required The source map. It can be a string or file upload. It must follow the source map format specification.
POST
/api/apm/sourcemaps
curl -X POST "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: multipart/form-data' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}' \
-F 'service_name="foo"' \
-F 'service_version="1.0.0"' \
-F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \
-F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"'
Response examples (200)
A successful response from `POST /api/apm/sourcemaps`.
{
"id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"body": "eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI",
"type": "sourcemap",
"created": "2021-07-09T20:47:44.812Z",
"identifier": "foo-1.0.0",
"decodedSize": 441,
"encodedSize": 237,
"packageName": "apm",
"relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
"encryptionAlgorithm": "none",
"compressionAlgorithm": "zlib"
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Response examples (501)
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}Delete cases
You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
Query parameters
-
ids
array[string] Required The cases that you want to removed. All non-ASCII characters must be URL encoded.
DELETE
/api/cases
curl \
--request DELETE 'http://localhost:5622/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Update cases
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.
PATCH
/api/cases
curl \
--request PATCH 'http://localhost:5622/api/cases' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"cases":[{"id":"a18b38a0-71b0-11ea-a0b2-c51ea50a58e2","tags":["tag-1"],"version":"WzIzLDFd","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":null,"issueType":"10006"}},"description":"A case description.","customFields":[{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","value":false},{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My new field value"}]}]}'
Request example
{
"cases": [
{
"id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"version": "WzIzLDFd",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": null,
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": false
},
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My new field value"
}
]
}
]
}
Response examples (200)
[
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzU0OCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": null,
"issueType": "10006"
}
},
"created_at": "2023-10-13T09:16:17.416Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T09:48:33.043Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My new field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": false
}
],
"totalComment": 0,
"external_service": {
"pushed_at": "2023-10-13T09:20:40.672Z",
"pushed_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"external_id": "10003",
"connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
"external_url": "https://hms.atlassian.net/browse/IS-4",
"connector_name": "Jira",
"external_title": "IS-4"
}
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Add a case comment or alert
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
Body
object
Required
The add comment to case API request body varies depending on whether you are adding an alert or a comment.
Defines properties for case comment requests when type is alert.
alertId
string | array[string] Required The alert identifiers. It is required only when
typeisalert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule;indexmust also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.index
string | array[string] Required The alert indices. It is required only when
typeisalert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in thealertIdarray. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.-
owner
string Required The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases,observability, orsecuritySolution. -
rule
object Required Technical preview The rule that is associated with the alerts. It is required only when
typeisalert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -
type
string Required Discriminator The type of comment.
Value is
alert.
POST
/api/cases/{caseId}/comments
curl \
--request POST 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"type":"user","owner":"cases","comment":"A new comment."}'
Request example
{
"type": "user",
"owner": "cases",
"comment": "A new comment."
}
Response examples (200)
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get a case comment or alert
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
GET
/api/cases/{caseId}/comments/{commentId}
curl \
--request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"id": "8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzIzLDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-07T19:32:13.104Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Delete a case comment or alert
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
DELETE
/api/cases/{caseId}/comments/{commentId}
curl \
--request DELETE 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Attach a file to a case
Attach a file to a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:
- The
Content-Type: multipart/form-dataHTTP header. - The location of the file that is being uploaded.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
POST
/api/cases/{caseId}/files
curl \
--request POST 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \
--header "Authorization: $API_KEY" \
--header "Content-Type: multipart/form-data" \
--header "kbn-xsrf: string" \
--form "file=@file" \
--form "filename=string"
Response examples (200)
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Find case activity
Retrives a paginated list of user activity for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
Query parameters
-
page
integer The page number to return.
Default value is
1. -
perPage
integer The number of items to return. Limited to 100 items.
Maximum value is
100. Default value is20. -
sortOrder
string Determines the sort order.
Values are
ascordesc. Default value isdesc. -
types
array[string] Determines the types of user actions to return.
Values are
action,alert,assignees,attachment,comment,connector,create_case,description,pushed,settings,severity,status,tags,title, oruser.
GET
/api/cases/{caseId}/user_actions/_find
curl \
--request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"page": 1,
"total": 3,
"perPage": 20,
"userActions": [
{
"id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
"type": "create_case",
"owner": "cases",
"action": "create",
"payload": {
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"category": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"description": "A case description.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
]
},
"version": "WzM1ODg4LDFd",
"comment_id": null,
"created_at": "2023-10-20T01:17:22.150Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
},
{
"id": "57af14a0-03b1-11ed-920c-974bfa104448",
"type": "comment",
"owner": "cases",
"action": "create",
"payload": {
"type": "user",
"owner": "cases",
"comment": "A new comment"
},
"version": "WzM1ODg4LDFa",
"comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
"created_at": "2023-10-14T20:12:53.354Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
},
{
"id": "573c6980-6123-11ed-aa41-81a0a61fe447",
"type": "assignees",
"owner": "cases",
"action": "add",
"payload": {
"assignees": {
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
},
"version": "WzM1ODg4LDFb",
"comment_id": null,
"created_at": "2023-10-20T01:10:28.238Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
}
]
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Get cases for an alert
Technical preview
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Path parameters
-
alertId
string Required An identifier for the alert.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/alerts/{alertId}
curl \
--request GET 'http://localhost:5622/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
"title": "security_case"
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case connectors
Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
GET
/api/cases/configure/connectors/_find
curl \
--request GET 'http://localhost:5622/api/cases/configure/connectors/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
"name": "my-Jira",
"config": {
"apiUrl": "https://elastic.atlassian.net/",
"projectKey": "ES"
},
"actionTypeId": ".jira",
"isDeprecated": false,
"isPreconfigured": false,
"isMissingSecrets": false,
"referencedByCount": 0
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case creators
Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/reporters
curl \
--request GET 'http://localhost:5622/api/cases/reporters' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
{
"email": "jdoe@example.com",
"username": "jdoe",
"full_name": "Jane Doe",
"profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Path parameters
-
id
string Required An identifier for the connector.
Body
-
name
string Required The display name for the connector.
config
object The connector configuration details.
One of: bedrock_configobject crowdstrike_configobject d3security_configobject email_configobject gemini_configobject resilient_configobject index_configobject jira_configobject genai_azure_configobject genai_openai_configobject opsgenie_configobject pagerduty_configobject sentinelone_configobject servicenow_configobject servicenow_itom_configobject slack_api_configobject swimlane_configobject thehive_configobject tines_configobject torq_configobject webhook_configobject cases_webhook_configobject xmatters_configobject Defines properties for connectors when type is
.bedrock.secrets
object One of: bedrock_secretsobject crowdstrike_secretsobject d3security_secretsobject email_secretsobject gemini_secretsobject resilient_secretsobject jira_secretsobject teams_secretsobject genai_secretsobject opsgenie_secretsobject pagerduty_secretsobject sentinelone_secretsobject servicenow_secretsobject slack_api_secretsobject swimlane_secretsobject thehive_secretsobject tines_secretsobject torq_secretsobject webhook_secretsobject cases_webhook_secretsobject xmatters_secretsobject Defines secrets for connectors when type is
.bedrock.
PUT
/api/actions/connector/{id}
curl \
--request PUT 'http://localhost:5622/api/actions/connector/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"updated-connector","config":{"index":"updated-index"}}'
Request example
{
"name": "updated-connector",
"config": {
"index": "updated-index"
}
}
Response examples (200)
{
"config": {},
"connector_type_id": "string",
"id": "string",
"is_deprecated": true,
"is_missing_secrets": true,
"is_preconfigured": true,
"is_system_action": true,
"name": "string"
}Path parameters
-
id
string Required An identifier for the connector.
Body
-
connector_type_id
string Required The type of connector.
-
name
string Required The display name for the connector.
config
object The connector configuration details.
One of: bedrock_configobject crowdstrike_configobject d3security_configobject email_configobject gemini_configobject resilient_configobject index_configobject jira_configobject genai_azure_configobject genai_openai_configobject opsgenie_configobject pagerduty_configobject sentinelone_configobject servicenow_configobject servicenow_itom_configobject slack_api_configobject swimlane_configobject thehive_configobject tines_configobject torq_configobject webhook_configobject cases_webhook_configobject xmatters_configobject Defines properties for connectors when type is
.bedrock.secrets
object One of: bedrock_secretsobject crowdstrike_secretsobject d3security_secretsobject email_secretsobject gemini_secretsobject resilient_secretsobject jira_secretsobject teams_secretsobject genai_secretsobject opsgenie_secretsobject pagerduty_secretsobject sentinelone_secretsobject servicenow_secretsobject slack_api_secretsobject swimlane_secretsobject thehive_secretsobject tines_secretsobject torq_secretsobject webhook_secretsobject cases_webhook_secretsobject xmatters_secretsobject Defines secrets for connectors when type is
.bedrock.
POST
/api/actions/connector/{id}
curl \
--request POST 'http://localhost:5622/api/actions/connector/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"email-connector-1","config":{"from":"tester@example.com","host":"https://example.com","port":1025,"secure":false,"hasAuth":true,"service":"other"},"secrets":{"user":"username","password":"password"},"connector_type_id":".email"}'
Request examples
Create an email connector.
{
"name": "email-connector-1",
"config": {
"from": "tester@example.com",
"host": "https://example.com",
"port": 1025,
"secure": false,
"hasAuth": true,
"service": "other"
},
"secrets": {
"user": "username",
"password": "password"
},
"connector_type_id": ".email"
}{
"name": "my-connector",
"config": {
"index": "test-index"
},
"connector_type_id": ".index"
}{
"name": "my-webhook-connector",
"config": {
"url": "https://example.com",
"method": "post",
"authType": "webhook-authentication-ssl",
"certType": "ssl-crt-key"
},
"secrets": {
"crt": "QmFnIEF0dH...",
"key": "LS0tLS1CRUdJ...",
"password": "my-passphrase"
},
"connector_type_id": ".webhook"
}{
"name": "my-xmatters-connector",
"config": {
"usesBasic": false
},
"secrets": {
"secretsUrl": "https://example.com?apiKey=xxxxx"
},
"connector_type_id": ".xmatters"
}
Response examples (200)
A new email connector.
{
"id": "90a82c60-478f-11ee-a343-f98a117c727f",
"name": "email-connector-1",
"config": {
"from": "tester@example.com",
"host": "https://example.com",
"port": 1025,
"secure": false,
"hasAuth": true,
"service": "other",
"clientId": null,
"tenantId": null,
"oauthTokenUrl": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".email",
"is_missing_secrets": false
}{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"name": "my-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".index",
"is_missing_secrets": false
}{
"id": "900eb010-3b9d-11ee-a642-8ffbb94e38bd",
"name": "my-webhook-connector",
"config": {
"url": "https://example.com",
"method": "post",
"hasAuth": true,
"headers": null,
"authType": "webhook-authentication-ssl",
"certType": "ssl-crt-key",
"verificationMode": "full"
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".webhook",
"is_missing_secrets": false
}{
"id": "df770e30-8b8b-11ed-a780-3b746c987a81",
"name": "my_server_log_connector",
"config": {},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".server-log",
"is_missing_secrets": false
}Delete a connector
WARNING: When you delete a connector, it cannot be recovered.
Path parameters
-
id
string Required An identifier for the connector.
DELETE
/api/actions/connector/{id}
curl \
--request DELETE 'http://localhost:5622/api/actions/connector/{id}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
GET
/api/actions/connectors
curl \
--request GET 'http://localhost:5622/api/actions/connectors' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "preconfigured-email-connector",
"name": "my-preconfigured-email-notification",
"is_deprecated": false,
"is_preconfigured": true,
"is_system_action": false,
"connector_type_id": ".email",
"referenced_by_count": 0
},
{
"id": "e07d0c80-8b8b-11ed-a780-3b746c987a81",
"name": "my-index-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".index",
"is_missing_secrets": false,
"referenced_by_count": 2
}
]Get data streams
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
Query parameters
-
type
string Values are
logs,metrics,traces,synthetics, orprofiling. -
datasetQuery
string -
sortOrder
string Values are
ascordesc. Default value isasc. -
uncategorisedOnly
boolean Default value is
false.
GET
/api/fleet/epm/data_streams
curl \
--request GET 'http://localhost:5622/api/fleet/epm/data_streams' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"items": [
{
"name": "string"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
GET
/api/data_views
curl \
--request GET 'http://localhost:5622/api/data_views' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"data_view": [
{
"id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
"name": "Kibana Sample Data eCommerce",
"title": "kibana_sample_data_ecommerce",
"typeMeta": {},
"namespaces": [
"default"
]
},
{
"id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
"name": "Kibana Sample Data Flights",
"title": "kibana_sample_data_flights",
"namespaces": [
"default"
]
},
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "Kibana Sample Data Logs",
"title": "kibana_sample_data_logs",
"namespaces": [
"default"
]
}
]
}
Response examples (400)
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}Delete a data view
WARNING: When you delete a data view, it cannot be recovered.
Path parameters
-
viewId
string Required An identifier for the data view.
DELETE
/api/data_views/data_view/{viewId}
curl \
--request DELETE 'http://localhost:5622/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Response examples (404)
{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}Create or update a runtime field
Path parameters
-
viewId
string Required The ID of the data view fields you want to update.
Body
Required
-
name
string Required The name for a runtime field.
-
runtimeField
object Required The runtime field definition object.
PUT
/api/data_views/data_view/{viewId}/runtime_field
curl \
--request PUT 'http://localhost:5622/api/data_views/data_view/{viewId}/runtime_field' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
Request example
{
"name": "runtimeFoo",
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc[\"foo\"].value)"
}
}
}
Response examples (200)
{
"data_view": {},
"fields": [
{}
]
}
Response examples (400)
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}Create a runtime field
Path parameters
-
viewId
string Required An identifier for the data view.
Body
Required
-
name
string Required The name for a runtime field.
-
runtimeField
object Required The runtime field definition object.
POST
/api/data_views/data_view/{viewId}/runtime_field
curl \
--request POST 'http://localhost:5622/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
Request example
{
"name": "runtimeFoo",
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc[\"foo\"].value)"
}
}
}
Response examples (200)
{}Reassign an agent
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
Path parameters
-
agentId
string Required
POST
/api/fleet/agents/{agentId}/reassign
curl \
--request POST 'http://localhost:5622/api/fleet/agents/{agentId}/reassign' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"policy_id":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"policy_id": "string"
}
Response examples (200)
{}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Unenroll an agent
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
Path parameters
-
agentId
string Required
POST
/api/fleet/agents/{agentId}/unenroll
curl \
--request POST 'http://localhost:5622/api/fleet/agents/{agentId}/unenroll' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"revoke":true}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"revoke": true
}Bulk upgrade agents
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
Body
agents
array[string] | string Required -
batchSize
number -
force
boolean -
includeInactive
boolean Default value is
false. -
rollout_duration_seconds
number Minimum value is
600. -
skipRateLimitCheck
boolean -
source_uri
string -
start_time
string -
version
string Required
POST
/api/fleet/agents/bulk_upgrade
curl \
--request POST 'http://localhost:5622/api/fleet/agents/bulk_upgrade' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"agents":["string"],"batchSize":42.0,"force":true,"includeInactive":false,"rollout_duration_seconds":42.0,"skipRateLimitCheck":true,"source_uri":"string","start_time":"string","version":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"agents": [
"string"
],
"batchSize": 42.0,
"force": true,
"includeInactive": false,
"rollout_duration_seconds": 42.0,
"skipRateLimitCheck": true,
"source_uri": "string",
"start_time": "string",
"version": "string"
}
Response examples (200)
{
"actionId": "string"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Create an agent policy
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].
Query parameters
-
sys_monitoring
boolean
Body
-
advanced_settings
object Additional properties are NOT allowed.
-
agent_features
array[object] -
agentless
object Additional properties are NOT allowed.
-
data_output_id
string | null -
description
string -
download_source_id
string | null -
fleet_server_host_id
string | null -
force
boolean -
has_fleet_server
boolean -
id
string -
inactivity_timeout
number Minimum value is
0. Default value is1209600. -
is_default
boolean -
is_default_fleet_server
boolean -
is_managed
boolean -
is_protected
boolean -
keep_monitoring_alive
boolean | null When set to true, monitoring will be enabled but logs/metrics collection will be disabled
Default value is
false. -
monitoring_diagnostics
object Additional properties are NOT allowed.
-
monitoring_enabled
array[string] Values are
logs,metrics, ortraces. -
monitoring_http
object Additional properties are NOT allowed.
-
monitoring_output_id
string | null -
monitoring_pprof_enabled
boolean -
name
string Required Minimum length is
1. -
namespace
string Required Minimum length is
1. -
overrides
object | null Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
Additional properties are allowed.
-
required_versions
array[object] | null -
space_ids
array[string] -
supports_agentless
boolean | null Indicates whether the agent policy supports agentless integrations.
Default value is
false. -
unenroll_timeout
number Minimum value is
0.
POST
/api/fleet/agent_policies
curl \
--request POST 'http://localhost:5622/api/fleet/agent_policies' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"advanced_settings":{},"agent_features":[{"enabled":true,"name":"string"}],"agentless":{"resources":{"requests":{"cpu":"string","memory":"string"}}},"data_output_id":"string","description":"string","download_source_id":"string","fleet_server_host_id":"string","force":true,"global_data_tags":[{"name":"string","value":"string"}],"has_fleet_server":true,"id":"string","inactivity_timeout":1209600,"is_default":true,"is_default_fleet_server":true,"is_managed":true,"is_protected":true,"keep_monitoring_alive":false,"monitoring_diagnostics":{"limit":{"burst":42.0,"interval":"string"},"uploader":{"init_dur":"string","max_dur":"string","max_retries":42.0}},"monitoring_enabled":["logs"],"monitoring_http":{"buffer":{"enabled":false},"enabled":true,"host":"string","port":42.0},"monitoring_output_id":"string","monitoring_pprof_enabled":true,"name":"string","namespace":"string","overrides":{},"required_versions":[{"percentage":42.0,"version":"string"}],"space_ids":["string"],"supports_agentless":false,"unenroll_timeout":42.0}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"force": true,
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"space_ids": [
"string"
],
"supports_agentless": false,
"unenroll_timeout": 42.0
}
Response examples (200)
{
"item": {
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Copy an agent policy
Copy an agent policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].
Path parameters
-
agentPolicyId
string Required
Query parameters
-
format
string Values are
simplifiedorlegacy.
Body
-
description
string -
name
string Required Minimum length is
1.
POST
/api/fleet/agent_policies/{agentPolicyId}/copy
curl \
--request POST 'http://localhost:5622/api/fleet/agent_policies/{agentPolicyId}/copy' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"description":"string","name":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"name": "string"
}
Response examples (200)
{
"item": {
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Create a custom integration
[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].
Body
-
datasets
array[object] Required -
force
boolean -
integrationName
string Required
POST
/api/fleet/epm/custom_integrations
curl \
--request POST 'http://localhost:5622/api/fleet/epm/custom_integrations' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"datasets":[{"name":"string","type":"logs"}],"force":true,"integrationName":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"datasets": [
{
"name": "string",
"type": "logs"
}
],
"force": true,
"integrationName": "string"
}
Response examples (200)
{
"_meta": {
"install_source": "string"
},
"items": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Get packages
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
Query parameters
-
category
string -
prerelease
boolean -
excludeInstallStatus
boolean
GET
/api/fleet/epm/packages
curl \
--request GET 'http://localhost:5622/api/fleet/epm/packages' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"items": [
{
"categories": [
"string"
],
"conditions": {
"elastic": {
"capabilities": [
"string"
],
"subscription": "string"
},
"kibana": {
"version": "string"
}
},
"data_streams": [
{}
],
"description": "string",
"discovery": {
"fields": [
{
"name": "string"
}
]
},
"download": "string",
"format_version": "string",
"icons": [
{
"dark_mode": true,
"path": "string",
"size": "string",
"src": "string",
"title": "string",
"type": "string"
}
],
"id": "string",
"installationInfo": {
"additional_spaces_installed_kibana": {
"additionalProperty1": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
],
"additionalProperty2": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
},
"created_at": "string",
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"install_format_schema_version": "string",
"install_source": "registry",
"install_status": "installed",
"installed_es": [
{
"deferred": true,
"id": "string",
"type": "index",
"version": "string"
}
],
"installed_kibana": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
],
"installed_kibana_space_id": "string",
"latest_executed_state": {
"error": "string",
"name": "string",
"started_at": "string"
},
"latest_install_failed_attempts": [
{
"created_at": "string",
"error": {
"message": "string",
"name": "string",
"stack": "string"
},
"target_version": "string"
}
],
"name": "string",
"namespaces": [
"string"
],
"type": "string",
"updated_at": "string",
"verification_key_id": "string",
"verification_status": "unverified",
"version": "string"
},
"integration": "string",
"internal": true,
"latestVersion": "string",
"name": "string",
"owner": {
"github": "string",
"type": "elastic"
},
"path": "string",
"policy_templates": [
{}
],
"readme": "string",
"release": "ga",
"signature_path": "string",
"source": {
"license": "string"
},
"status": "string",
"title": "string",
"type": "integration",
"vars": [
{}
],
"version": "string"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Install a package by upload
[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].
Query parameters
-
ignoreMappingUpdateErrors
boolean Default value is
false. -
skipDataStreamRollover
boolean Default value is
false.
Body
string(binary)
string(binary)
POST
/api/fleet/epm/packages
curl \
--request POST 'http://localhost:5622/api/fleet/epm/packages' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/gzip; application/zip" \
--header "kbn-xsrf: true" \
--data-binary '@file'Get package stats
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
Path parameters
-
pkgName
string Required
GET
/api/fleet/epm/packages/{pkgName}/stats
curl \
--request GET 'http://localhost:5622/api/fleet/epm/packages/{pkgName}/stats' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"response": {
"agent_policy_count": 42.0
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Update settings
[Required authorization] Route required privileges: ALL of [fleet-settings-all].
Body
-
additional_yaml_config
string -
delete_unenrolled_agents
object Additional properties are NOT allowed.
-
has_seen_add_data_notice
boolean -
kibana_ca_sha256
string -
kibana_urls
array[string(uri)] -
prerelease_integrations_enabled
boolean
PUT
/api/fleet/settings
curl \
--request PUT 'http://localhost:5622/api/fleet/settings' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"additional_yaml_config":"string","delete_unenrolled_agents":{"enabled":true,"is_preconfigured":true},"has_seen_add_data_notice":true,"kibana_ca_sha256":"string","kibana_urls":["https://example.com"],"prerelease_integrations_enabled":true}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"additional_yaml_config": "string",
"delete_unenrolled_agents": {
"enabled": true,
"is_preconfigured": true
},
"has_seen_add_data_notice": true,
"kibana_ca_sha256": "string",
"kibana_urls": [
"https://example.com"
],
"prerelease_integrations_enabled": true
}
Response examples (200)
{
"item": {
"delete_unenrolled_agents": {
"enabled": true,
"is_preconfigured": true
},
"has_seen_add_data_notice": true,
"id": "string",
"output_secret_storage_requirements_met": true,
"preconfigured_fields": [
"fleet_server_hosts"
],
"prerelease_integrations_enabled": true,
"secret_storage_requirements_met": true,
"use_space_awareness_migration_started_at": "string",
"use_space_awareness_migration_status": "pending",
"version": "string"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Response examples (404)
{
"message": "string"
}Get output
Get output by ID.
[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].
Path parameters
-
outputId
string Required
GET
/api/fleet/outputs/{outputId}
curl \
--request GET 'http://localhost:5622/api/fleet/outputs/{outputId}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"item": {
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": false,
"is_default_monitoring": false,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "elasticsearch"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Update output
Update output by ID.
[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].
Path parameters
-
outputId
string Required
Body
object
-
allow_edit
array[string] -
ca_sha256
string | null -
ca_trusted_fingerprint
string | null -
config_yaml
string | null -
hosts
array[string(uri)] At least
1element. -
id
string -
is_default
boolean -
is_default_monitoring
boolean -
is_internal
boolean -
is_preconfigured
boolean -
name
string -
preset
string Values are
balanced,custom,throughput,scale, orlatency. -
proxy_id
string | null -
shipper
object | null Additional properties are NOT allowed.
-
ssl
object | null Additional properties are NOT allowed.
-
type
string Value is
elasticsearch.
PUT
/api/fleet/outputs/{outputId}
curl \
--request PUT 'http://localhost:5622/api/fleet/outputs/{outputId}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"allow_edit":["string"],"ca_sha256":"string","ca_trusted_fingerprint":"string","config_yaml":"string","hosts":["https://example.com"],"id":"string","is_default":true,"is_default_monitoring":true,"is_internal":true,"is_preconfigured":true,"name":"string","preset":"balanced","proxy_id":"string","shipper":{"compression_level":42.0,"disk_queue_compression_enabled":true,"disk_queue_enabled":false,"disk_queue_encryption_enabled":true,"disk_queue_max_size":42.0,"disk_queue_path":"string","loadbalance":true,"max_batch_bytes":42.0,"mem_queue_events":42.0,"queue_flush_timeout":42.0},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string","verification_mode":"full"},"type":"elasticsearch"}'
Request examples
Object-1
# Headers
kbn-xsrf: true
# Payload
{
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": true,
"is_default_monitoring": true,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "elasticsearch"
}# Headers
kbn-xsrf: true
# Payload
{
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": true,
"is_default_monitoring": true,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"secrets": {
"service_token": {
"id": "string"
}
},
"service_token": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "remote_elasticsearch"
}# Headers
kbn-xsrf: true
# Payload
{
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"string"
],
"id": "string",
"is_default": true,
"is_default_monitoring": true,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"proxy_id": "string",
"secrets": {
"ssl": {
"key": {
"id": "string"
}
}
},
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "logstash"
}# Headers
kbn-xsrf: true
# Payload
{
"allow_edit": [
"string"
],
"auth_type": "none",
"broker_timeout": 42.0,
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"client_id": "string",
"compression": "gzip",
"compression_level": [],
"config_yaml": "string",
"connection_type": [],
"hash": {
"hash": "string",
"random": true
},
"headers": [
{
"key": "string",
"value": "string"
}
],
"hosts": [
"string"
],
"id": "string",
"is_default": false,
"is_default_monitoring": false,
"is_internal": true,
"is_preconfigured": true,
"key": "string",
"name": "string",
"partition": "random",
"password": [],
"proxy_id": "string",
"random": {
"group_events": 42.0
},
"required_acks": 1,
"round_robin": {
"group_events": 42.0
},
"sasl": {
"mechanism": "PLAIN"
},
"secrets": {
"password": {
"id": "string"
},
"ssl": {
"key": {
"id": "string"
}
}
},
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"timeout": 42.0,
"topic": "string",
"type": "kafka",
"username": [],
"version": "string"
}
Response examples (200)
{
"item": {
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": false,
"is_default_monitoring": false,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "elasticsearch"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Query parameters
-
format
string Values are
simplifiedorlegacy.
Body
object
You should use inputs as an object and not use the deprecated inputs array.
-
description
string Package policy description
-
enabled
boolean -
force
boolean Force package policy creation even if package is not verified, or if the agent policy is managed.
-
id
string Package policy unique identifier
-
inputs
array[object] Required -
is_managed
boolean -
name
string Required Package policy name (should be unique)
-
namespace
string The package policy namespace. Leave blank to inherit the agent policy's namespace.
-
output_id
string | null -
overrides
object | null Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
Additional properties are NOT allowed.
-
package
object Additional properties are NOT allowed.
-
policy_id
string | null Deprecated Agent policy ID where that package policy will be added
-
policy_ids
array[string] Agent policy IDs where that package policy will be added
-
supports_agentless
boolean | null Indicates whether the package policy belongs to an agentless agent policy.
Default value is
false. -
vars
object Package variable (see integration documentation for more information)
POST
/api/fleet/package_policies
curl \
--request POST 'http://localhost:5622/api/fleet/package_policies' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"description":"string","enabled":true,"force":true,"id":"string","inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}'
Request examples
Object-1
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"enabled": true,
"force": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"supports_agentless": false,
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"force": true,
"id": "string",
"inputs": {
"additionalProperty1": {
"enabled": true,
"streams": {
"additionalProperty1": {
"enabled": true,
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"vars": {}
}
},
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"streams": {
"additionalProperty1": {
"enabled": true,
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"vars": {}
}
},
"vars": {}
}
},
"name": "string",
"namespace": "string",
"output_id": "string",
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"supports_agentless": false,
"vars": {}
}
Response examples (200)
{
"item": {
"agents": 42.0,
"created_at": "string",
"created_by": "string",
"description": "string",
"elasticsearch": {
"privileges": {
"cluster": [
"string"
]
}
},
"enabled": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"revision": 42.0,
"secret_references": [
{
"id": "string"
}
],
"spaceIds": [
"string"
],
"supports_agentless": false,
"updated_at": "string",
"updated_by": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Response examples (409)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Delete a package policy
Delete a package policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].
Path parameters
-
packagePolicyId
string Required
Query parameters
-
force
boolean
DELETE
/api/fleet/package_policies/{packagePolicyId}
curl \
--request DELETE 'http://localhost:5622/api/fleet/package_policies/{packagePolicyId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
Response examples (200)
{
"id": "string"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Get a Fleet Server host
Get a Fleet Server host by ID.
[Required authorization] Route required privileges: ALL of [fleet-settings-read].
Path parameters
-
itemId
string Required
GET
/api/fleet/fleet_server_hosts/{itemId}
curl \
--request GET 'http://localhost:5622/api/fleet/fleet_server_hosts/{itemId}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"item": {
"host_urls": [
"string"
],
"id": "string",
"is_default": false,
"is_internal": true,
"is_preconfigured": false,
"name": "string",
"proxy_id": "string"
}
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get a Logstash pipeline
Technical Preview
Get information for a centrally-managed Logstash pipeline.
To use this API, you must have either the logstash_admin built-in role or a customized Logstash reader role.
Path parameters
-
id
string Required An identifier for the pipeline.
GET
/api/logstash/pipeline/{id}
curl \
--request GET 'http://localhost:5622/api/logstash/pipeline/{id}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"id": "hello-world",
"description": "Just a simple pipeline",
"username": "elastic",
"pipeline": "input { stdin {} } output { stdout {} }",
"settings": {
"queue.type": "persistent"
}
}Rotate a Fleet message signing key pair
[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].
Query parameters
-
acknowledge
boolean Default value is
false.
POST
/api/fleet/message_signing_service/rotate_key_pair
curl \
--request POST 'http://localhost:5622/api/fleet/message_signing_service/rotate_key_pair' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
Response examples (200)
{
"message": "string"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Response examples (500)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Machine learning
Machine learning
Delete saved objects
Deprecated
WARNING: When you delete a saved object, it cannot be recovered.
Query parameters
-
force
boolean When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation.
POST
/api/saved_objects/_bulk_delete
curl \
--request POST 'http://localhost:5622/api/saved_objects/_bulk_delete' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
Request examples
# Headers
kbn-xsrf: string
# Payload
[
{}
]
Response examples (200)
{}
Response examples (400)
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}Apply a bulk action to anonymization fields
Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.
POST
/api/security_ai_assistant/anonymization_fields/_bulk_action
curl \
--request POST 'http://localhost:5622/api/security_ai_assistant/anonymization_fields/_bulk_action' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"create":[{"allowed":true,"anonymized":true,"field":"string"}],"delete":{"ids":["string"],"query":"string"},"update":[{"allowed":true,"anonymized":true,"id":"string"}]}'
Request examples
{
"create": [
{
"allowed": true,
"anonymized": true,
"field": "string"
}
],
"delete": {
"ids": [
"string"
],
"query": "string"
},
"update": [
{
"allowed": true,
"anonymized": true,
"id": "string"
}
]
}
Response examples (200)
{
"anonymization_fields_count": 42,
"attributes": {
"errors": [
{
"anonymization_fields": [
{
"id": "string",
"name": "string"
}
],
"err_code": "string",
"message": "string",
"status_code": 42
}
],
"results": {
"created": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
],
"deleted": [
"string"
],
"skipped": [
{
"id": "string",
"name": "string",
"skip_reason": "ANONYMIZATION_FIELD_NOT_MODIFIED"
}
],
"updated": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
]
},
"summary": {
"failed": 42,
"skipped": 42,
"succeeded": 42,
"total": 42
}
},
"message": "string",
"status_code": 42,
"success": true
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Delete a detection rule
Delete a detection rule using the rule_id or id field.
Responses
-
200 application/json
Indicates a successful call.
Any of: Security_Detections_API_EqlRuleResponseFieldsobject Security_Detections_API_QueryRuleResponseFieldsobject Security_Detections_API_SavedQueryRuleResponseFieldsobject Security_Detections_API_ThresholdRuleResponseFieldsobject Security_Detections_API_ThreatMatchRuleResponseFieldsobject Security_Detections_API_MachineLearningRuleResponseFieldsobject Security_Detections_API_NewTermsRuleResponseFieldsobject Security_Detections_API_EsqlRuleResponseFieldsobject
DELETE
/api/detection_engine/rules
curl \
--request DELETE 'http://localhost:5622/api/detection_engine/rules' \
--header "Authorization: $API_KEY"
Response examples (200)
Security_detections_api_eqlruleresponsefields
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"type": "query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery",
"query": "string"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"saved_id": "string",
"type": "saved_query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"query": "string",
"language": "kuery"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"query": "string",
"threshold": {
"cardinality": [
{
"field": "string",
"value": 42
}
],
"field": "string",
"value": 42
},
"type": "threshold",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
}
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"query": "string",
"threat_index": [
"string"
],
"threat_mapping": [
{
"entries": [
{
"field": "string",
"type": "mapping",
"value": "string"
}
]
}
],
"threat_query": "string",
"type": "threat_match",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"concurrent_searches": 42,
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"items_per_search": 42,
"saved_id": "string",
"threat_filters": [],
"threat_indicator_path": "string",
"threat_language": "kuery",
"language": "kuery"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"anomaly_threshold": 42,
"machine_learning_job_id": "string",
"type": "machine_learning",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
}
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"history_window_start": "string",
"new_terms_fields": [
"string"
],
"query": "string",
"type": "new_terms",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"language": "kuery"
}{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "1h",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"language": "esql",
"query": "string",
"type": "esql"
}