Update a pack

Bulk get agent policies

POST /api/fleet/agent_policies/_bulk_get

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

format string

Values are simplified or legacy.

application/json

Body

full boolean

get full policies with package policies populated
ids array[string] Required

list of package policy ids
ignoreMissing boolean

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  advanced_settings object
  
  Additional properties are NOT allowed.
  
  Hide advanced_settings attributes Show advanced_settings attributes object
  
  agent_download_target_directory
  
  agent_download_timeout
  
  agent_limits_go_max_procs
  
  agent_logging_files_interval
  
  agent_logging_files_keepfiles
  
  agent_logging_files_rotateeverybytes
  
  agent_logging_level
  
  agent_logging_metrics_period
  
  agent_logging_to_files
  
  agent_features array[object]
  
  Hide agent_features attributes Show agent_features attributes object
  
  enabled boolean Required
  
  name string Required
  
  agentless object
  
  Additional properties are NOT allowed.
  
  Hide agentless attribute Show agentless attribute object
  
  resources object
  
  Additional properties are NOT allowed.
  
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
  
  agents number
  
  data_output_id string | null
  
  description string
  
  download_source_id string | null
  
  fleet_server_host_id string | null
  
  global_data_tags array[object]
  
  User defined data tags that are added to all of the inputs. The values can be strings or numbers.
  
  Hide global_data_tags attributes Show global_data_tags attributes object
  
  name string Required
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  has_fleet_server boolean
  
  id string Required
  
  inactivity_timeout number
  
  Minimum value is 0. Default value is 1209600.
  
  is_default boolean
  
  is_default_fleet_server boolean
  
  is_managed boolean Required
  
  is_preconfigured boolean
  
  is_protected boolean Required
  
  Indicates whether the agent policy has tamper protection enabled. Default false.
  
  keep_monitoring_alive boolean | null
  
  When set to true, monitoring will be enabled but logs/metrics collection will be disabled
  
  Default value is false.
  
  monitoring_diagnostics object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
  
  limit object
  
  Additional properties are NOT allowed.
  
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
  
  uploader object
  
  Additional properties are NOT allowed.
  
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
  
  monitoring_enabled array[string]
  
  Values are logs, metrics, or traces.
  
  monitoring_http object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_http attributes Show monitoring_http attributes object
  
  buffer object
  
  Additional properties are NOT allowed.
  
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
  
  enabled boolean
  
  host string
  
  port number
  
  Minimum value is 0, maximum value is 65353.
  
  monitoring_output_id string | null
  
  monitoring_pprof_enabled boolean
  
  name string Required
  
  Minimum length is 1.
  
  namespace string Required
  
  Minimum length is 1.
  
  overrides object | null
  
  Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are allowed.
  
  package_policies array[string] | array[object]
  
  Any of:
  array-1 array[string] array-2 array[object]
  
  This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
  
  Hide attributes Show attributes object
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  required_versions array[object] | null
  
  Hide required_versions attributes Show required_versions attributes object
  
  percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
  
  version string Required
  
  Target version for automatic agent upgrade
  
  revision number Required
  
  schema_version string
  
  space_ids array[string]
  
  status string Required
  
  Values are active or inactive.
  
  supports_agentless boolean | null
  
  Indicates whether the agent policy supports agentless integrations.
  
  Default value is false.
  
  unenroll_timeout number
  
  Minimum value is 0.
  
  unprivileged_agents number
  
  updated_at string Required
  
  updated_by string Required
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

POST /api/fleet/agent_policies/_bulk_get

curl \
 --request POST 'http://localhost:5622/api/fleet/agent_policies/_bulk_get' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"full":true,"ids":["string"],"ignoreMissing":true}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "full": true,
  "ids": [
    "string"
  ],
  "ignoreMissing": true
}

Response examples (200)

{
  "items": [
    {
      "advanced_settings": {},
      "agent_features": [
        {
          "enabled": true,
          "name": "string"
        }
      ],
      "agentless": {
        "resources": {
          "requests": {
            "cpu": "string",
            "memory": "string"
          }
        }
      },
      "agents": 42.0,
      "data_output_id": "string",
      "description": "string",
      "download_source_id": "string",
      "fleet_server_host_id": "string",
      "global_data_tags": [
        {
          "name": "string",
          "value": "string"
        }
      ],
      "has_fleet_server": true,
      "id": "string",
      "inactivity_timeout": 1209600,
      "is_default": true,
      "is_default_fleet_server": true,
      "is_managed": true,
      "is_preconfigured": true,
      "is_protected": true,
      "keep_monitoring_alive": false,
      "monitoring_diagnostics": {
        "limit": {
          "burst": 42.0,
          "interval": "string"
        },
        "uploader": {
          "init_dur": "string",
          "max_dur": "string",
          "max_retries": 42.0
        }
      },
      "monitoring_enabled": [
        "logs"
      ],
      "monitoring_http": {
        "buffer": {
          "enabled": false
        },
        "enabled": true,
        "host": "string",
        "port": 42.0
      },
      "monitoring_output_id": "string",
      "monitoring_pprof_enabled": true,
      "name": "string",
      "namespace": "string",
      "overrides": {},
      "package_policies": [
        "string"
      ],
      "required_versions": [
        {
          "percentage": 42.0,
          "version": "string"
        }
      ],
      "revision": 42.0,
      "schema_version": "string",
      "space_ids": [
        "string"
      ],
      "status": "active",
      "supports_agentless": false,
      "unenroll_timeout": 42.0,
      "unprivileged_agents": 42.0,
      "updated_at": "string",
      "updated_by": "string",
      "version": "string"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a full K8s agent manifest

GET /api/fleet/kubernetes

Api key auth Basic auth

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].

Query parameters

download boolean
fleetServer string
enrolToken string

Responses

200 application/json
Hide response attribute Show response attribute object
- item string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/kubernetes

curl \
 --request GET 'http://localhost:5622/api/fleet/kubernetes' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "item": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create or update roles

POST /api/security/roles

Api key auth Basic auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

roles object Required
Hide roles attribute Show roles attribute object
- * object Additional properties
  
  Additional properties are NOT allowed.
  Hide * attributes Show * attributes object
  
  description string
  
  A description for the role.
  
  Maximum length is 2048.
  
  elasticsearch object Required
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  cluster array[string]
  
  Cluster privileges that define the cluster level actions that users can perform.
  
  indices array[object]
  
  Hide indices attributes Show indices attributes object
  
  allow_restricted_indices boolean
  
  Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.
  
  field_security object
  
  Hide field_security attribute Show field_security attribute object
  
  * array[string] Additional properties
  
  The document fields that the role members have read access to.
  
  names array[string] Required
  
  The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).
  
  At least 1 element.
  
  privileges array[string] Required
  
  The index level privileges that the role members have for the data streams and indices.
  
  At least 1 element.
  
  query string
  
  A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.
  
  remote_cluster array[object]
  
  Hide remote_cluster attributes Show remote_cluster attributes object
  
  clusters array[string] Required
  
  A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
  
  At least 1 element.
  
  privileges array[string] Required
  
  The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.
  
  At least 1 element.
  
  remote_indices array[object]
  
  Hide remote_indices attributes Show remote_indices attributes object
  
  allow_restricted_indices boolean
  
  Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.
  
  clusters array[string] Required
  
  A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
  
  At least 1 element.
  
  field_security object
  
  Hide field_security attribute Show field_security attribute object
  
  * array[string] Additional properties
  
  The document fields that the role members have read access to.
  
  names array[string] Required
  
  A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).
  
  At least 1 element.
  
  privileges array[string] Required
  
  The index level privileges that role members have for the specified indices.
  
  At least 1 element.
  
  query string
  
  A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.
  
  run_as array[string]
  
  A user name that the role member can impersonate.
  
  kibana array[object]
  
  Hide kibana attributes Show kibana attributes object
  
  base array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  feature object
  
  Hide feature attribute Show feature attribute object
  
  * array[string] Additional properties
  
  The privileges that the role member has for the feature.
  
  spaces array[string]
  
  Any of:
  array-1 array[string] array-2 array[string]
  
  At least 1 but not more than 1 element. Value is *. Default value is ["*"].
  
  metadata object
  
  Additional properties are allowed.

Responses

200

Indicates a successful call.

POST /api/security/roles

curl \
 --request POST 'http://localhost:5622/api/security/roles' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"roles":{"additionalProperty1":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}},"additionalProperty2":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}}}}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "roles": {
    "additionalProperty1": {
      "description": "string",
      "elasticsearch": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "allow_restricted_indices": true,
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "remote_cluster": [
          {
            "clusters": [
              "string"
            ],
            "privileges": [
              "string"
            ]
          }
        ],
        "remote_indices": [
          {
            "allow_restricted_indices": true,
            "clusters": [
              "string"
            ],
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "run_as": [
          "string"
        ]
      },
      "kibana": [
        {
          "base": [],
          "feature": {
            "additionalProperty1": [
              "string"
            ],
            "additionalProperty2": [
              "string"
            ]
          },
          "spaces": [
            "*"
          ]
        }
      ],
      "metadata": {}
    },
    "additionalProperty2": {
      "description": "string",
      "elasticsearch": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "allow_restricted_indices": true,
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "remote_cluster": [
          {
            "clusters": [
              "string"
            ],
            "privileges": [
              "string"
            ]
          }
        ],
        "remote_indices": [
          {
            "allow_restricted_indices": true,
            "clusters": [
              "string"
            ],
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "run_as": [
          "string"
        ]
      },
      "kibana": [
        {
          "base": [],
          "feature": {
            "additionalProperty1": [
              "string"
            ],
            "additionalProperty2": [
              "string"
            ]
          },
          "spaces": [
            "*"
          ]
        }
      ],
      "metadata": {}
    }
  }
}

Get conversations

GET /api/security_ai_assistant/current_user/conversations/_find

Api key auth Basic auth

Get a list of all conversations for the current user.

Query parameters

fields array[string]
filter string

Search query
sort_field string

Field to sort by

Values are created_at, is_default, title, or updated_at.
sort_order string

Sort order

Values are asc or desc.
page integer

Page number

Minimum value is 1. Default value is 1.
per_page integer

Conversations per page

Minimum value is 0. Default value is 20.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  apiConfig object
  
  LLM API configuration.
  
  Hide apiConfig attributes Show apiConfig attributes object
  
  actionTypeId string Required
  
  action type id
  
  connectorId string Required
  
  connector id
  
  defaultSystemPromptId string
  
  defaultSystemPromptId
  
  model string
  
  model
  
  provider string
  
  Provider
  
  Values are OpenAI, Azure OpenAI, or Other.
  
  category string Required
  
  The conversation category.
  
  Values are assistant or insights.
  
  createdAt string Required
  
  The last time conversation was updated.
  
  excludeFromLastConversationStorage boolean
  
  excludeFromLastConversationStorage.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  isDefault boolean
  
  Is default conversation.
  
  messages array[object]
  
  The conversation messages.
  
  AI assistant conversation message.
  
  Hide messages attributes Show messages attributes object
  
  content string Required
  
  Message content.
  
  isError boolean
  
  Is error message.
  
  metadata object
  
  metadata
  
  Hide metadata attribute Show metadata attribute object
  
  contentReferences object
  
  Data refered to by the message content.
  
  reader object
  
  Message content.
  
  Additional properties are allowed.
  
  role string Required
  
  Message role.
  
  Values are system, user, or assistant.
  
  timestamp string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  traceData object
  
  trace Data
  
  Hide traceData attributes Show traceData attributes object
  
  traceId string
  
  Could be any string, not necessarily a UUID
  
  transactionId string
  
  Could be any string, not necessarily a UUID
  
  namespace string Required
  
  Kibana space
  
  replacements object
  
  Replacements object used to anonymize/deanomymize messsages
  
  Hide replacements attribute Show replacements attribute object
  
  * string Additional properties
  
  summary object
  
  Hide summary attributes Show summary attributes object
  
  confidence string
  
  How confident you are about this being a correct and useful learning.
  
  Values are low, medium, or high.
  
  content string
  
  Summary text of the conversation over time.
  
  public boolean
  
  Define if summary is marked as publicly available.
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  title string Required
  
  The conversation title.
  
  updatedAt string
  
  The last time conversation was updated.
  
  users array[object] Required
  
  Could be any string, not necessarily a UUID
  
  Hide users attributes Show users attributes object
  
  id string
  
  User id
  
  name string
  
  User name
- page integer Required
- perPage integer Required
- total integer Required
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

GET /api/security_ai_assistant/current_user/conversations/_find

curl \
 --request GET 'http://localhost:5622/api/security_ai_assistant/current_user/conversations/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data": [
    {
      "apiConfig": {
        "actionTypeId": "string",
        "connectorId": "string",
        "defaultSystemPromptId": "string",
        "model": "string",
        "provider": "OpenAI"
      },
      "category": "assistant",
      "createdAt": "string",
      "excludeFromLastConversationStorage": true,
      "id": "string",
      "isDefault": true,
      "messages": [
        {
          "content": "string",
          "isError": true,
          "metadata": {
            "contentReferences": {}
          },
          "reader": {},
          "role": "system",
          "timestamp": "string",
          "traceData": {
            "traceId": "string",
            "transactionId": "string"
          }
        }
      ],
      "namespace": "string",
      "replacements": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      },
      "summary": {
        "confidence": "low",
        "content": "string",
        "public": true,
        "timestamp": "string"
      },
      "timestamp": "string",
      "title": "string",
      "updatedAt": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ]
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Retrieve a detection rule

GET /api/detection_engine/rules

Api key auth Basic auth

Retrieve a detection rule using the rule_id or id field.

Query parameters

id string(uuid)

The rule's id value.
rule_id string

The rule's rule_id value.

Responses

200 application/json

Indicates a successful call.
Any of:
Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

language string Required

Query language to use

Value is eql.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is eql.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

event_category_override string

filters array

index array[string]

tiebreaker_field string

Sets a secondary field for sorting events

timestamp_field string

Contains the event timestamp used for sorting a sequence of events
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

type string Required Discriminator

Rule type

Value is query.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

saved_id string

language string Required

Values are kuery or lucene.

query string Required

EQL query to execute
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

saved_id string Required

type string Required Discriminator

Rule type

Value is saved_query.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

query string

EQL query to execute

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

query string Required

EQL query to execute

threshold object Required

Hide threshold attributes Show threshold attributes object

cardinality array[object]

Hide cardinality attributes Show cardinality attributes object

field string Required

value integer Required

Minimum value is 0.

field string Required

value integer Required

Threshold value

Minimum value is 1.

type string Required Discriminator

Rule type

Value is threshold.

alert_suppression object

Hide alert_suppression attribute Show alert_suppression attribute object

duration object Required

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

data_view_id string

filters array

index array[string]

saved_id string

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

query string Required

EQL query to execute

threat_index array[string] Required

threat_mapping array[object] Required

At least 1 element.

Hide threat_mapping attribute Show threat_mapping attribute object

entries array[object] Required

Hide entries attributes Show entries attributes object

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required

Value is mapping.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

threat_query string Required

Query to run

type string Required Discriminator

Rule type

Value is threat_match.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

concurrent_searches integer

Minimum value is 1.

data_view_id string

filters array

index array[string]

items_per_search integer

Minimum value is 1.

saved_id string

threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values

threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)

threat_language string

Values are kuery or lucene.

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

anomaly_threshold integer Required

Anomaly threshold

Minimum value is 0.

machine_learning_job_id string Required

type string Required Discriminator

Rule type

Value is machine_learning.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

history_window_start string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

new_terms_fields array[string] Required

At least 1 but not more than 3 elements.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is new_terms.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

language string Required

Value is esql.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is esql.

GET /api/detection_engine/rules

curl \
 --request GET 'http://localhost:5622/api/detection_engine/rules' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql"
}

Get an endpoint exception list item

GET /api/endpoint_list/items

Api key auth Basic auth

Get the details of an endpoint exception list item using the id or item_id field.

Query parameters

id string(nonempty)

Either id or item_id must be specified

Minimum length is 1.
item_id string(nonempty)

Either id or item_id must be specified

Minimum length is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows.
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

Endpoint list item not found
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/endpoint_list/items

curl \
 --request GET 'http://localhost:5622/api/endpoint_list/items' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "_version": "string",
    "comments": [
      {
        "comment": "string",
        "created_at": "2025-05-04T09:42:00Z",
        "created_by": "string",
        "id": "string",
        "updated_at": "2025-05-04T09:42:00Z",
        "updated_by": "string"
      }
    ],
    "created_at": "2025-05-04T09:42:00Z",
    "created_by": "string",
    "description": "string",
    "entries": [
      {
        "field": "string",
        "operator": "excluded",
        "type": "match",
        "value": "string"
      }
    ],
    "expire_time": "2025-05-04T09:42:00Z",
    "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
    "item_id": "simple_list_item",
    "list_id": "simple_list",
    "meta": {},
    "name": "string",
    "namespace_type": "agnostic",
    "os_types": [
      "linux"
    ],
    "tags": [
      "string"
    ],
    "tie_breaker_id": "string",
    "type": "simple",
    "updated_at": "2025-05-04T09:42:00Z",
    "updated_by": "string"
  }
]

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Get value lists

GET /api/lists/_find

Api key auth Basic auth

Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page.

Query parameters

page integer

The page number to return.
per_page integer

The number of value lists to return per page.
sort_field string(nonempty)

Determines which field is used to sort the results.

Minimum length is 1.
sort_order string

Determines the sort order, which can be desc or asc

Values are desc or asc.
cursor string(nonempty)

Returns the lists that come after the last lists returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all lists are sorted and returned correctly.

Minimum length is 1.
filter string

Filters the returned results according to the value of the specified field, using the : syntax.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- cursor string(nonempty) Required
  
  Minimum length is 1.
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  _version string
  
  The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
  
  @timestamp string(date-time)
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string Required
  
  Autogenerated value - user that created object.
  
  description string(nonempty) Required
  
  Describes the value list.
  
  Minimum length is 1.
  
  deserializer string
  
  Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
  
  {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  
  {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  
  {{{gte}}},{{{lte}}} - Date range values.
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  immutable boolean Required
  
  meta object
  
  Placeholder for metadata about the value list.
  
  Additional properties are allowed.
  
  name string(nonempty) Required
  
  Value list's name.
  
  Minimum length is 1.
  
  serializer string
  
  Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
  
  (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  
  (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
  
  tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  updated_at string(date-time) Required
  
  Autogenerated date of last object update.
  
  updated_by string Required
  
  Autogenerated value - user that last updated object.
  
  version integer Required
  
  The document version number.
  
  Minimum value is 1.
- page integer Required
  
  Minimum value is 0.
- per_page integer Required
  
  Minimum value is 0.
- total integer Required
  
  Minimum value is 0.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/lists/_find

curl \
 --request GET 'http://localhost:5622/api/lists/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data": [
    {
      "id": "ip_list",
      "name": "Simple list with an ip",
      "type": "ip",
      "version": 1,
      "_version": "WzAsMV0=",
      "immutable": false,
      "@timestamp": "2025-01-08T04:47:34.273Z\n",
      "created_at": "2025-01-08T04:47:34.273Z\n",
      "created_by": "elastic",
      "updated_at": "2025-01-08T04:47:34.273Z\n",
      "updated_by": "elastic",
      "description": "This list describes bad internet ip",
      "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
    }
  ],
  "page": 1,
  "total": 1,
  "cursor": "WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d",
  "per_page": 20
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request query]: page: Expected number, received nan",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

PUT /api/osquery/packs/{id}

Api key auth Basic auth

Update a query pack using the pack ID.

You cannot update a prebuilt pack.

Path parameters

id string | null Required

The ID of the pack you want to run, retrieve, update, or delete.

application/json

Body Required

description string | null

The pack description.
enabled boolean | null

Enables the pack.
name string

The pack name.
policy_ids array[string] | null

A list of agents policy IDs.
queries object

An object of queries.
Hide queries attribute Show queries attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  ecs_mapping object | null
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object | null
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
  
  id string
  
  The ID of the query.
  
  platform string | null
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
  
  query string
  
  The SQL query you want to run.
  
  removed boolean | null
  
  Indicates whether the query is removed.
  
  saved_query_id string | null
  
  The ID of a saved query.
  
  snapshot boolean | null
  
  Indicates whether the query is a snapshot.
  
  version string | null
  
  Uses the Osquery versions greater than or equal to the specified version string.
shards object

An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.
Hide shards attribute Show shards attribute object
- * number Additional properties

Responses

200 application/json

OK

PUT /api/osquery/packs/{id}

curl \
 --request PUT 'http://localhost:5622/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"updated_my_pack_name"}'

Request example

{
  "name": "updated_my_pack_name"
}

Response examples (200)

{
  "data": {
    "name": "updated_my_pack_name",
    "shards": [
      {
        "key": "47638692-7c4c-4053-aa3e-7186f28df349",
        "value": 35
      },
      {
        "key": "5e267651-fe50-443e-8d3f-3bbc9171b618",
        "value": 58
      }
    ],
    "enabled": true,
    "queries": {
      "ports": {
        "query": "SELECT * FROM listening_ports;",
        "removed": false,
        "timeout": 120,
        "interval": 60,
        "snapshot": true,
        "ecs_mapping": {
          "client.port": {
            "field": "port"
          }
        }
      }
    },
    "created_at": "2025-02-26T13:37:30.452Z",
    "created_by": "elastic",
    "updated_at": "2025-02-26T13:40:16.297Z",
    "updated_by": "elastic",
    "description": "My pack",
    "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856"
  }
}

value string | number Required

package_policies array[string] | array[object]

base array | null | boolean | number | object | string Required

spaces array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

Body Required

value string | array[string]