Get information about rules Beta
Query parameters
-
per_page number
The number of rules to return per page.
Minimum value is
0
. Default value is10
. -
page number
The page number to return.
Minimum value is
1
. Default value is1
. -
search string
An Elasticsearch simple_query_string query that filters the objects in the response.
-
default_search_operator string
The default operator to use for the simple_query_string.
Values are
OR
orAND
. Default value isOR
. -
search_fields array[string] | string
The fields to perform the simple_query_string parsed query against.
-
sort_field string
Determines which field is used to sort the results. The field must exist in the
attributes
key of the response. -
sort_order string
Determines the sort order.
Values are
asc
ordesc
. -
has_reference object | null
Filters the rules that have a relation with the reference objects with a specific type and identifier.
Additional properties are NOT allowed.
-
fields array[string]
The fields to return in the
attributes
key of the response. -
filter string
A KQL string that you filter with an attribute from your saved object. It should look like
savedObjectType.attributes.title: "myTitle"
. However, if you used a direct attribute of a saved object, such asupdatedAt
, you must define your filter, for example,savedObjectType.updatedAt > 2018-12-22
. -
filter_consumers array[string]
List of consumers to filter.
curl \
--request GET https://<KIBANA_URL>/api/alerting/rules/_find
{
"data": [
{
"id": "3583a470-74f6-11ed-9801-35303b735aef",
"name": "my alert",
"tags": [
"cpu"
],
"params": {
"index": [
"test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "9dca3e00-74f5-11ed-9801-35303b735aef",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
"connector_type_id": ".server-log"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
}
}
],
"enabled": true,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2022-12-06T01:45:23.912Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-12-05T23:40:33.132Z",
"created_by": "elastic",
"updated_at": "2022-12-05T23:40:33.132Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 48,
"last_execution_date": "2022-12-06T01:44:23.983Z"
},
"scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}
{
"data": [
{
"id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"name": "security_rule",
"tags": [],
"params": {
"to": "now",
"from": "now-3660s",
"meta": {
"from": "1h",
"kibana_siem_app_url": "https://localhost:5601/app/security"
},
"type": "threshold",
"index": [
"kibana_sample_data_logs"
],
"query": "*",
"author": [],
"ruleId": "an_internal_rule_id",
"threat": [],
"filters": [],
"license": "",
"version": 1,
"language": "kuery",
"severity": "low",
"immutable": false,
"riskScore": 21,
"threshold": {
"field": [
"bytes"
],
"value": 1,
"cardinality": []
},
"maxSignals": 100,
"references": [],
"description": "A security threshold rule.",
"outputIndex": "",
"exceptionsList": [],
"falsePositives": [],
"severityMapping": [],
"riskScoreMapping": []
},
"actions": [
{
"id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "default",
"params": {
"documents": [
{
"rule_id": {
"[object Object]": null
},
"alert_id": {
"[object Object]": null
},
"rule_name": {
"[object Object]": null
},
"context_message": {
"[object Object]": null
}
}
]
},
"frequency": {
"summary": true,
"throttle": null,
"notify_when": "onActiveAlert"
},
"alerts_filter": {
"query": {
"kql": "",
"filters": [
{
"meta": {
"key": "client.geo.region_iso_code",
"alias": null,
"field": "client.geo.region_iso_code",
"index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
"negate": false,
"params": {
"type": "phrase",
"query": "CA-QC"
},
"disabled": false
},
"query": {
"match_phrase": {
"client.geo.region_iso_code": "CA-QC"
}
},
"$state": {
"store": "appState"
}
}
]
},
"timeframe": {
"days": [
7
],
"hours": {
"end": "17:00",
"start": "08:00"
},
"timezone": "UTC"
}
},
"connector_type_id": ".index"
}
],
"enabled": true,
"running": false,
"consumer": "siem",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": [
"Rule execution completed successfully"
],
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2023-05-16T20:27:49.507Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-05-16T15:50:28.358Z",
"created_by": "elastic",
"updated_at": "2023-05-16T20:25:42.559Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": "siem.thresholdRule",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 166,
"last_execution_date": "2023-05-16T20:26:49.590Z"
},
"scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}
APM agent configuration
Adjust APM agent configuration without need to redeploy your application.
Get agent name for service Beta
Retrieve agentName
for a service.
Headers
-
The version of the API to use
Value is
2023-10-31
. Default value is2023-10-31
.
Query parameters
-
The name of the service
curl \
--request GET https://<KIBANA_URL>/api/apm/settings/agent-configuration/agent_name?serviceName=node \
--header "elastic-api-version: 2023-10-31"
{
"agentName": "nodejs"
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Get source maps Beta
Returns an array of Fleet artifacts, including source map uploads.
Headers
-
The version of the API to use
Value is
2023-10-31
. Default value is2023-10-31
.
curl \
--request GET https://<KIBANA_URL>/api/apm/sourcemaps \
--header "elastic-api-version: 2023-10-31"
{
"artifacts": [
{
"body": {
"bundleFilepath": "string",
"serviceName": "string",
"serviceVersion": "string",
"sourceMap": {
"file": "string",
"mappings": "string",
"sourceRoot": "string",
"sources": [
"string"
],
"sourcesContent": [
"string"
],
"version": 42.0
}
},
"compressionAlgorithm": "string",
"created": "string",
"decodedSha256": "string",
"decodedSize": 42.0,
"encodedSha256": "string",
"encodedSize": 42.0,
"encryptionAlgorithm": "string",
"id": "string",
"identifier": "string",
"packageName": "string",
"relative_url": "string",
"type": "string"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}
Get all connectors Beta
curl \
--request GET https://<KIBANA_URL>/api/actions/connectors
[
{
"id": "preconfigured-email-connector",
"name": "my-preconfigured-email-notification",
"is_deprecated": false,
"is_preconfigured": true,
"is_system_action": false,
"connector_type_id": ".email",
"referenced_by_count": 0
},
{
"id": "e07d0c80-8b8b-11ed-a780-3b746c987a81",
"name": "my-index-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".index",
"is_missing_secrets": false,
"referenced_by_count": 2
}
]
Get a data view Beta
Path parameters
-
An identifier for the data view.
curl \
--request GET https://<KIBANA_URL>/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f
{
"data_view": {
"id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
"name": "Kibana Sample Data eCommerce",
"title": "kibana_sample_data_ecommerce",
"fields": {
"_id": {
"name": "_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_id"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"sku": {
"name": "sku",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"type": {
"name": "type",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"user": {
"name": "user",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"email": {
"name": "email",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_index": {
"name": "_index",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_index"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": false
},
"_score": {
"name": "_score",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"_source": {
"name": "_source",
"type": "_source",
"count": 0,
"format": {
"id": "_source"
},
"esTypes": [
"_source"
],
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"category": {
"name": "category",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"currency": {
"name": "currency",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"order_id": {
"name": "order_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"order_date": {
"name": "order_date",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_id": {
"name": "customer_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"day_of_week": {
"name": "day_of_week",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"manufacturer": {
"name": "manufacturer",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products._id": {
"name": "products._id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.sku": {
"name": "products.sku",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"day_of_week_i": {
"name": "day_of_week_i",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"event.dataset": {
"name": "event.dataset",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_phone": {
"name": "customer_phone",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.location": {
"name": "geoip.location",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.price": {
"name": "products.price",
"type": "number",
"count": 1,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"total_quantity": {
"name": "total_quantity",
"type": "number",
"count": 1,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_gender": {
"name": "customer_gender",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.city_name": {
"name": "geoip.city_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"category.keyword": {
"name": "category.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "category"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.region_name": {
"name": "geoip.region_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.category": {
"name": "products.category",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.quantity": {
"name": "products.quantity",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_full_name": {
"name": "customer_full_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"customer_last_name": {
"name": "customer_last_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.min_price": {
"name": "products.min_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"taxful_total_price": {
"name": "taxful_total_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_birth_date": {
"name": "customer_birth_date",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_first_name": {
"name": "customer_first_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.base_price": {
"name": "products.base_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.created_on": {
"name": "products.created_on",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.product_id": {
"name": "products.product_id",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"long"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.tax_amount": {
"name": "products.tax_amount",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"taxless_total_price": {
"name": "taxless_total_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.continent_name": {
"name": "geoip.continent_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"manufacturer.keyword": {
"name": "manufacturer.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "manufacturer"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products._id.keyword": {
"name": "products._id.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "products._id"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.manufacturer": {
"name": "products.manufacturer",
"type": "string",
"count": 1,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.product_name": {
"name": "products.product_name",
"type": "string",
"count": 1,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.taxful_price": {
"name": "products.taxful_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"total_unique_products": {
"name": "total_unique_products",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.country_iso_code": {
"name": "geoip.country_iso_code",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.taxless_price": {
"name": "products.taxless_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.base_unit_price": {
"name": "products.base_unit_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.discount_amount": {
"name": "products.discount_amount",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.category.keyword": {
"name": "products.category.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "products.category"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_full_name.keyword": {
"name": "customer_full_name.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "customer_full_name"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_last_name.keyword": {
"name": "customer_last_name.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "customer_last_name"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_first_name.keyword": {
"name": "customer_first_name.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "customer_first_name"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.discount_percentage": {
"name": "products.discount_percentage",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.manufacturer.keyword": {
"name": "products.manufacturer.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "products.manufacturer"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.product_name.keyword": {
"name": "products.product_name.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "products.product_name"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.unit_discount_amount": {
"name": "products.unit_discount_amount",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
}
},
"version": "WzUsMV0=",
"typeMeta": {},
"fieldAttrs": {
"products.price": {
"count": 1
},
"total_quantity": {
"count": 1
},
"products.manufacturer": {
"count": 1
},
"products.product_name": {
"count": 1
}
},
"namespaces": [
"default"
],
"allowNoIndex": false,
"fieldFormats": {
"products.price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"products.min_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"taxful_total_price": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
},
"products.base_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"taxless_total_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"products.taxful_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"products.taxless_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"products.base_unit_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
}
},
"sourceFilters": [],
"timeFieldName": "order_date",
"runtimeFieldMap": {}
}
}
{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}
Preview a saved object reference swap Beta
Preview the impact of swapping saved object references from one data view identifier to another.
Body Required
-
delete boolean
Deletes referenced saved object if all references are removed.
forId string | array[string]
Limit the affected saved objects to one or more by identifier.
-
forType string
Limit the affected saved objects by type.
-
The saved object reference to change.
-
fromType string
Specify the type of the saved object reference to alter. The default value is
index-pattern
for data views. -
New saved object reference value to replace the old value.
curl \
--request POST https://<KIBANA_URL>/api/data_views/swap_references/_preview \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"toId":"xyz-123","fromId":"abcd-efg"}'
{
"toId": "xyz-123",
"fromId": "abcd-efg"
}
{
"result": [
{
"id": "string",
"type": "string"
}
]
}
Create an agent binary download source Beta
[Required authorization] Route required privileges: ALL of [fleet-settings-all].
curl \
--request POST https://<KIBANA_URL>/api/fleet/agent_download_sources \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"host": "https://example.com",
"id": "string",
"is_default": false,
"name": "string",
"proxy_id": "string"
}
{
"item": {
"host": "https://example.com",
"id": "string",
"is_default": false,
"name": "string",
"proxy_id": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get outputs for agent policies Beta
Get a list of outputs associated with agent policies.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].
curl \
--request POST https://<KIBANA_URL>/api/fleet/agent_policies/outputs \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"ids":["string"]}'
# Headers
kbn-xsrf: true
# Payload
{
"ids": [
"string"
]
}
{
"items": [
{
"agentPolicyId": "string",
"data": {
"integrations": [
{
"id": "string",
"integrationPolicyName": "string",
"name": "string",
"pkgName": "string"
}
],
"output": {
"id": "string",
"name": "string"
}
},
"monitoring": {
"output": {
"id": "string",
"name": "string"
}
}
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get agent tags Beta
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
curl \
--request GET https://<KIBANA_URL>/api/fleet/agents/tags
{
"items": [
"string"
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Authorize transforms Beta
curl \
--request POST https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"transforms":[{"transformId":"string"}]}'
# Headers
kbn-xsrf: true
# Payload
{
"transforms": [
{
"transformId": "string"
}
]
}
[
{
"success": true,
"transformId": "string"
}
]
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Check Fleet Server health Beta
[Required authorization] Route required privileges: ALL of [fleet-settings-all].
curl \
--request POST https://<KIBANA_URL>/api/fleet/health_check \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"id":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"id": "string"
}
{
"host_id": "string",
"name": "string",
"status": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Delete a package policy Beta
Delete a package policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].
Query parameters
-
force boolean
curl \
--request DELETE https://<KIBANA_URL>/api/fleet/package_policies/{packagePolicyId} \
--header "kbn-xsrf: true"
{
"id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get Fleet Server hosts Beta
[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].
curl \
--request GET https://<KIBANA_URL>/api/fleet/fleet_server_hosts
{
"items": [
{
"host_urls": [
"string"
],
"id": "string",
"is_default": false,
"is_internal": true,
"is_preconfigured": false,
"name": "string",
"proxy_id": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Roles
Manage the roles that grant Elasticsearch and Kibana privileges.
Create or update roles Beta
curl \
--request POST https://<KIBANA_URL>/api/security/roles \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"roles":{"additionalProperty1":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}},"additionalProperty2":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}}}}'
# Headers
kbn-xsrf: true
# Payload
{
"roles": {
"additionalProperty1": {
"description": "string",
"elasticsearch": {
"cluster": [
"string"
],
"indices": [
{
"allow_restricted_indices": true,
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"remote_cluster": [
{
"clusters": [
"string"
],
"privileges": [
"string"
]
}
],
"remote_indices": [
{
"allow_restricted_indices": true,
"clusters": [
"string"
],
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"run_as": [
"string"
]
},
"kibana": [
{
"base": [],
"feature": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"spaces": [
"*"
]
}
],
"metadata": {}
},
"additionalProperty2": {
"description": "string",
"elasticsearch": {
"cluster": [
"string"
],
"indices": [
{
"allow_restricted_indices": true,
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"remote_cluster": [
{
"clusters": [
"string"
],
"privileges": [
"string"
]
}
],
"remote_indices": [
{
"allow_restricted_indices": true,
"clusters": [
"string"
],
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"run_as": [
"string"
]
},
"kibana": [
{
"base": [],
"feature": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"spaces": [
"*"
]
}
],
"metadata": {}
}
}
}
Import saved objects Beta
Create sets of Kibana saved objects from a file created by the export API. Saved objects can be imported only into the same version, a newer minor on the same major, or the next major. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.
Query parameters
-
createNewCopies boolean
Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the
overwrite
andcompatibilityMode
options. -
overwrite boolean
Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the
createNewCopies
option. -
compatibilityMode boolean
Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the
createNewCopies
option.
Body Required
-
A file exported using the export API. NOTE: The
savedObjects.maxImportExportSize
configuration setting limits the number of saved objects which may be included in this file. Similarly, thesavedObjects.maxImportPayloadBytes
setting limits the overall size of the file that can be imported.
curl \
-X POST api/saved_objects/_import?createNewCopies=true
-H "kbn-xsrf: true"
--form file=@file.ndjson
{"file"=>"file.ndjson"}
{
"success": true,
"successCount": 1,
"successResults": [
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"meta": {
"icon": "indexPatternApp",
"title": "Kibana Sample Data Logs"
},
"type": "index-pattern",
"managed": false,
"destinationId": "82d2760c-468f-49cf-83aa-b9a35b6a8943"
}
]
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Update a conversation Beta
Update an existing conversation using the conversation ID.
Path parameters
-
The conversation's
id
value.Minimum length is
1
.
Body Required
-
apiConfig object
LLM API configuration.
Additional properties are allowed.
-
category string
The conversation category.
Values are
assistant
orinsights
. -
excludeFromLastConversationStorage.
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
messages array[object]
The conversation messages.
-
replacements object
Replacements object used to anonymize/deanomymize messsages
-
summary object
Additional properties are allowed.
-
title string
The conversation title.
curl \
--request PUT https://<KIBANA_URL>/api/security_ai_assistant/current_user/conversations/{id} \
--header "Content-Type: application/json" \
--data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"summary":{"confidence":"low","content":"string","public":true,"timestamp":"string"},"title":"string"}'
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"excludeFromLastConversationStorage": true,
"id": "string",
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"title": "string"
}
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"isDefault": true,
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Delete a conversation Beta
Delete an existing conversation using the conversation ID.
Path parameters
-
The conversation's
id
value.Minimum length is
1
.
curl \
--request DELETE https://<KIBANA_URL>/api/security_ai_assistant/current_user/conversations/{id}
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"isDefault": true,
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Apply a bulk action to detection rules Beta
Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.
Query parameters
-
dry_run boolean
Enables dry run mode for the request call.
Body object
curl \
--request POST https://<KIBANA_URL>/api/detection_engine/rules/_bulk_action \
--header "Content-Type: application/json" \
--data '{"action":"delete","ids":["string"],"query":"string"}'
{
"action": "delete",
"ids": [
"string"
],
"query": "string"
}
{
"action": "disable",
"ids": [
"string"
],
"query": "string"
}
{
"action": "enable",
"ids": [
"string"
],
"query": "string"
}
{
"action": "export",
"ids": [
"string"
],
"query": "string"
}
{
"action": "duplicate",
"duplicate": {
"include_exceptions": true,
"include_expired_exceptions": true
},
"ids": [
"string"
],
"query": "string"
}
{
"action": "run",
"ids": [
"string"
],
"query": "string",
"run": {
"end_date": "string",
"start_date": "string"
}
}
{
"action": "edit",
"edit": [
{
"type": "add_tags",
"value": [
"string"
]
}
],
"ids": [
"string"
],
"query": "string"
}
{
"attributes": {
"errors": [
{
"err_code": "IMMUTABLE",
"message": "string",
"rules": [
{
"id": "string",
"name": "string"
}
],
"status_code": 42
}
],
"results": {
"created": [
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
],
"deleted": [
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
],
"skipped": [
{
"id": "string",
"name": "string",
"skip_reason": "RULE_NOT_MODIFIED"
}
],
"updated": [
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
]
},
"summary": {
"failed": 42,
"skipped": 42,
"succeeded": 42,
"total": 42
}
},
"message": "string",
"rules_count": 42,
"status_code": 42,
"success": true
}
string
Get a metadata list Beta
Query parameters
-
Additional properties are allowed.
curl \
--request GET https://<KIBANA_URL>/api/endpoint/metadata?query=%7B%7D
{}
Upsert an asset criticality record Beta
Create or update an asset criticality record for a specific entity.
If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.
Body Required
-
Values are
host.name
,user.name
,service.name
, orrelated.entity
. -
The ID value of the asset.
-
The criticality level of the asset.
Values are
low_impact
,medium_impact
,high_impact
, orextreme_impact
. -
refresh string
If 'wait_for' the request will wait for the index refresh.
Value is
wait_for
.
curl \
--request POST https://<KIBANA_URL>/api/asset_criticality \
--header "Content-Type: application/json" \
--data '{"id_field":"host.name","id_value":"my_host","criticality_level":"high_impact"}'
{
"id_field": "host.name",
"id_value": "my_host",
"criticality_level": "high_impact"
}
{
"host": {
"name": "my_host",
"asset": {
"criticality": "high_impact"
}
},
"asset": {
"criticality": "high_impact"
},
"id_field": "host.name",
"id_value": "my_host",
"@timestamp": "2024-08-02T11:15:34.290Z",
"criticality_level": "high_impact"
}
List Entity Store Entities Beta
List entities records, paging, sorting and filtering as needed.
Query parameters
-
sort_field string
-
sort_order string
Values are
asc
ordesc
. -
page integer
Minimum value is
1
. -
per_page integer
Minimum value is
1
, maximum value is10000
. -
filterQuery string
An ES query to filter by.
-
Values are
user
,host
,service
, oruniversal
.
curl \
--request GET https://<KIBANA_URL>/api/entity_store/entities/list?entity_types=user
{
"inspect": {
"dsl": [
"string"
],
"response": [
"string"
]
},
"page": 42,
"per_page": 42,
"records": [
{
"@timestamp": "2025-05-04T09:42:00+00:00",
"asset": {
"criticality": "low_impact"
},
"entity": {
"name": "string",
"source": "string"
},
"event": {
"ingested": "2025-05-04T09:42:00+00:00"
},
"user": {
"domain": [
"string"
],
"email": [
"string"
],
"full_name": [
"string"
],
"hash": [
"string"
],
"id": [
"string"
],
"name": "string",
"risk": {
"@timestamp": "2017-07-21T17:32:28Z",
"calculated_level": "Critical",
"calculated_score": 42.0,
"calculated_score_norm": 42.0,
"category_1_count": 42.0,
"category_1_score": 42.0,
"category_2_count": 42.0,
"category_2_score": 42.0,
"criticality_level": "low_impact",
"criticality_modifier": 42.0,
"id_field": "host.name",
"id_value": "example.host",
"inputs": [
{
"category": "category_1",
"contribution_score": 42.0,
"description": "Generated from Detection Engine Rule: Malware Prevention Alert",
"id": "91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c",
"index": ".internal.alerts-security.alerts-default-000001",
"risk_score": 42.0,
"timestamp": "2017-07-21T17:32:28Z"
}
],
"notes": [
"string"
]
},
"roles": [
"string"
]
}
}
],
"total": 42
}
Run the risk scoring engine Beta
Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.
curl \
--request POST https://<KIBANA_URL>/api/risk_score/engine/schedule_now \
--header "Content-Type: application/json"
{
"success": true
}
{
"message": "string",
"status_code": 42
}
{
"full_error": "string",
"message": "string"
}
Security exceptions
Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.
Exceptions are made up of:
- Exception containers: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.
- Exception items: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to
true
, the rule does not generate an alert.
For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.
You cannot use lists with endpoint rule exceptions.
Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.
Exceptions requirements
Before you can start working with exceptions that use value lists, you must create the .lists
and .items
data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to Enable and access detections.
Create rule exception items Beta
Create exception items that apply to a single detection rule.
Path parameters
-
Detection rule's identifier
curl \
--request POST https://<KIBANA_URL>/api/detection_engine/rules/330bdd28-eedf-40e1-bed0-f10176c7f9e0/exceptions \
--header "Content-Type: application/json" \
--data '{"items":[{"name":"Sample Exception List Item","tags":["malware"],"type":"simple","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["saturn","jupiter"],"operator":"included"}],"item_id":"simple_list_item","list_id":"simple_list","os_types":["linux"],"description":"This is a sample detection type exception item.","namespace_type":"single"}]}'
{
"items": [
{
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "exists",
"field": "actingProcess.file.signer",
"operator": "excluded"
},
{
"type": "match_any",
"field": "host.name",
"value": [
"saturn",
"jupiter"
],
"operator": "included"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"os_types": [
"linux"
],
"description": "This is a sample detection type exception item.",
"namespace_type": "single"
}
]
}
[
{
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"name": "Sample Exception List Item",
"tags": [
"malware"
],
"type": "simple",
"entries": [
{
"type": "exists",
"field": "actingProcess.file.signer",
"operator": "excluded"
},
{
"type": "match_any",
"field": "host.name",
"value": [
"saturn",
"jupiter"
],
"operator": "included"
}
],
"item_id": "simple_list_item",
"list_id": "simple_list",
"_version": "WzQsMV0=",
"comments": [],
"os_types": [
"linux"
],
"created_at": "2025-01-07T20:07:33.119Z",
"created_by": "elastic",
"updated_at": "2025-01-07T20:07:33.119Z",
"updated_by": "elastic",
"description": "This is a sample detection type exception item.",
"namespace_type": "single",
"tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}
]
{
"error": "Bad Request",
"message": "Invalid request payload JSON format",
"statusCode": 400
}
{
"error": "Bad Request",
"message": "[request params]: id: Invalid uuid",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"message": "Unable to create exception-list",
"status_code": 403
}
{
"message": "Internal Server Error",
"status_code": 500
}
Update an exception list Beta
Update an exception list using the id
or list_id
field.
Body Required
Exception list's properties
-
_version string
The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
-
Describes the exception list.
-
id string(nonempty)
Exception list's identifier.
Minimum length is
1
. -
list_id string(nonempty)
Exception list's human readable string identifier, e.g.
trusted-linux-processes
.Minimum length is
1
. -
meta object
Placeholder for metadata about the list container.
Additional properties are allowed.
-
The name of the exception list.
-
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
single
: Only available in the Kibana space in which it is created.agnostic
: Available in all Kibana spaces.
Values are
agnostic
orsingle
. Default value issingle
. -
os_types array[string]
Use this field to specify the operating system.
Values are
linux
,macos
, orwindows
. -
The type of exception list to be created. Different list types may denote where they can be utilized.
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
. -
version integer
The document version, automatically increasd on updates.
Minimum value is
1
.
Responses
-
200 application/json
Successful response
-
400 application/json
Invalid input data response
-
401 application/json
Unsuccessful authentication response
-
403 application/json
Not enough privileges response
-
404 application/json
Exception list not found response
-
500 application/json
Internal server error response
curl \
--request PUT https://<KIBANA_URL>/api/exception_lists \
--header "Content-Type: application/json" \
--data '{"name":"Updated exception list name","tags":["draft malware"],"type":"detection","list_id":"simple_list","os_types":["linux"],"description":"Different description"}'
{
"name": "Updated exception list name",
"tags": [
"draft malware"
],
"type": "detection",
"list_id": "simple_list",
"os_types": [
"linux"
],
"description": "Different description"
}
{
"id": "fa7f545f-191b-4d32-b1f0-c7cd62a79e55",
"name": "Updated exception list name",
"tags": [
"draft malware"
],
"type": "detection",
"list_id": "simple_list",
"version": 2,
"_version": "WzExLDFd",
"os_types": [],
"immutable": false,
"created_at": "2025-01-07T20:43:55.264Z",
"created_by": "elastic",
"updated_at": "2025-01-07T21:32:03.726Z",
"updated_by": "elastic",
"description": "Different description",
"namespace_type": "single",
"tie_breaker_id": "319fe983-acdd-4806-b6c4-3098eae9392f"
}
{
"error": "Bad Request",
"message": "[request body]: list_id: Expected string, received number",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
{
"message\"": "exception list id: \"foo\" does not exist",
"status_code\"": 404
}
{
"message": "Internal Server Error",
"status_code": 500
}
Query parameters
-
Value list's identifier.
Minimum length is
1
.
curl \
--request GET https://<KIBANA_URL>/api/lists?id=21b01cfb-058d-44b9-838c-282be16c91cd
{
"id": "ip_list",
"name": "My bad ips",
"type": "ip",
"version": 1,
"_version": "WzEsMV0=",
"immutable": false,
"@timestamp": "2025-01-08T04:47:34.273Z",
"created_at": "2025-01-08T04:47:34.273Z",
"created_by": "elastic",
"updated_at": "2025-01-08T05:21:53.843Z",
"updated_by": "elastic",
"description": "This list describes bad internet ip",
"tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}
{
"error": "Bad Request",
"message": "[request query]: id: Required",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
"statusCode": 403
}
{
"message": "list id: \\\"foo\\\" not found",
"status_code": 404
}
{
"message": "Internal Server Error",
"status_code": 500
}
Get value lists Beta
Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page.
Query parameters
-
page integer
The page number to return.
-
per_page integer
The number of value lists to return per page.
-
sort_field string(nonempty)
Determines which field is used to sort the results.
Minimum length is
1
. -
sort_order string
Determines the sort order, which can be
desc
orasc
Values are
desc
orasc
. -
cursor string(nonempty)
Returns the lists that come after the last lists returned in the previous call (use the
cursor
value returned in the previous call). This parameter uses thetie_breaker_id
field to ensure all lists are sorted and returned correctly.Minimum length is
1
. -
filter string
Filters the returned results according to the value of the specified field, using the : syntax.
curl \
--request GET https://<KIBANA_URL>/api/lists/_find
{
"data": [
{
"id": "ip_list",
"name": "Simple list with an ip",
"type": "ip",
"version": 1,
"_version": "WzAsMV0=",
"immutable": false,
"@timestamp": "2025-01-08T04:47:34.273Z\n",
"created_at": "2025-01-08T04:47:34.273Z\n",
"created_by": "elastic",
"updated_at": "2025-01-08T04:47:34.273Z\n",
"updated_by": "elastic",
"description": "This list describes bad internet ip",
"tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}
],
"page": 1,
"total": 1,
"cursor": "WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d",
"per_page": 20
}
{
"error": "Bad Request",
"message": "[request query]: page: Expected number, received nan",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
"statusCode": 403
}
{
"message": "Internal Server Error",
"status_code": 500
}
Update a value list item Beta
Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted.
You cannot modify the id
value.
Body Required
Value list item's properties
-
_version string
The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
-
Value list item's identifier.
Minimum length is
1
. -
meta object
Placeholder for metadata about the value list item.
Additional properties are allowed.
-
The value used to evaluate exceptions.
Minimum length is
1
.
Responses
-
200 application/json
Successful response
-
400 application/json
Invalid input data response
-
401 application/json
Unsuccessful authentication response
-
403 application/json
Not enough privileges response
-
404 application/json
List item not found response
-
500 application/json
Internal server error response
curl \
--request PUT https://<KIBANA_URL>/api/lists/items \
--header "Content-Type: application/json" \
--data '{"id":"ip_item","value":"255.255.255.255"}'
{
"id": "ip_item",
"value": "255.255.255.255"
}
{
"id": "pd1WRJQBs4HAK3VQeHFI",
"type": "ip",
"value": "255.255.255.255",
"list_id": "ip_list",
"_version": "WzIwLDFd",
"@timestamp": "2025-01-08T05:15:05.159Z",
"created_at": "2025-01-08T05:15:05.159Z",
"created_by": "elastic",
"updated_at": "2025-01-08T05:44:14.009Z",
"updated_by": "elastic",
"tie_breaker_id": "eee41dc7-1666-4876-982f-8b0f7b59eca3"
}
{
"error": "Bad Request",
"message": "[request body]: id: Expected string, received number",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
{
"message": "list item id: \\\"foo\\\" not found",
"status_code": 404
}
{
"message": "Internal Server Error",
"status_code": 500
}
Create a value list item Beta
Create a value list item and associate it with the specified value list.
All value list items in the same list must be the same type. For example, each list item in an ip
list must define a specific IP address.
Before creating a list item, you must create a list.
Body Required
Value list item's properties
-
id string(nonempty)
Value list item's identifier.
Minimum length is
1
. -
Value list's identifier.
Minimum length is
1
. -
meta object
Placeholder for metadata about the value list item.
Additional properties are allowed.
-
refresh string
Determines when changes made by the request are made visible to search.
Values are
true
,false
, orwait_for
. -
The value used to evaluate exceptions.
Minimum length is
1
.
Responses
-
200 application/json
Successful response
-
400 application/json
Invalid input data response
-
401 application/json
Unsuccessful authentication response
-
403 application/json
Not enough privileges response
-
404 application/json
Not enough privileges response
-
409 application/json
List item already exists response
-
500 application/json
Internal server error response
curl \
--request POST https://<KIBANA_URL>/api/lists/items \
--header "Content-Type: application/json" \
--data '{"value":"127.0.0.1","list_id":"ip_list"}'
{
"value": "127.0.0.1",
"list_id": "ip_list"
}
{
"value": "192.168.0.0/16",
"list_id": "ip_range_list"
}
{
"value": "zeek",
"list_id": "keyword_list"
}
{
"id": "21b01cfb-058d-44b9-838c-282be16c91cc",
"type": "ip",
"value": "127.0.0.1",
"list_id": "ip_list",
"_version": "WzAsMV0=",
"@timestamp": "2025-01-08T04:59:06.154Z",
"created_at": "2025-01-08T04:59:06.154Z",
"created_by": "elastic",
"updated_at": "2025-01-08T04:59:06.154Z",
"updated_by": "elastic",
"tie_breaker_id": "b57c762c-3036-465c-9bfb-7bfb5e6e515a"
}
{
"id": "ip_range_item",
"type": "ip_range",
"value": "192.168.0.0/16",
"list_id": "ip_range_list",
"_version": "WzEsMV0=",
"@timestamp": "2025-01-09T18:33:08.202Z",
"created_at": "2025-01-09T18:33:08.202Z",
"created_by": "elastic",
"updated_at": "2025-01-09T18:33:08.202Z",
"updated_by": "elastic",
"tie_breaker_id": "ea1b4189-efda-4637-b8f9-74655a5ebb61"
}
{
"id": "7f24737d-1da8-4626-a568-33070591bb4e",
"type": "keyword",
"value": "zeek",
"list_id": "keyword_list",
"_version": "WzIsMV0=",
"@timestamp": "2025-01-09T18:34:29.422Z",
"created_at": "2025-01-09T18:34:29.422Z",
"created_by": "elastic",
"updated_at": "2025-01-09T18:34:29.422Z",
"updated_by": "elastic",
"tie_breaker_id": "2108ced2-5e5d-401e-a88e-4dd69fc5fa27"
}
{
"error": "Bad Request",
"message": "uri [/api/lists/items] with method [post] exists but is not available with the current configuration",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
{
"message": "list id: \\\"ip_list\\\" does not exist",
"status_code": 404
}
{
"message": "list item id: \\\"ip_item\\\" already exists",
"status_code": 409
}
{
"message": "Internal Server Error",
"status_code": 500
}
Body Required
The note to add or update, along with additional metadata.
-
eventDataView string | null
-
eventIngested string | null
-
eventTimestamp string | null
-
Additional properties are allowed.
-
noteId string | null
-
overrideOwner boolean | null
-
version string | null
curl \
--request PATCH https://<KIBANA_URL>/api/note \
--header "Content-Type: application/json" \
--data '{"eventDataView":"string","eventIngested":"string","eventTimestamp":"string","note":{"created":42.0,"createdBy":"string","eventId":"string","note":"string","timelineId":"string","updated":42.0,"updatedBy":"string"},"noteId":"string","overrideOwner":true,"version":"string"}'
{
"eventDataView": "string",
"eventIngested": "string",
"eventTimestamp": "string",
"note": {
"created": 42.0,
"createdBy": "string",
"eventId": "string",
"note": "string",
"timelineId": "string",
"updated": 42.0,
"updatedBy": "string"
},
"noteId": "string",
"overrideOwner": true,
"version": "string"
}
{
"note": {
"created": 42.0,
"createdBy": "string",
"eventId": "string",
"note": "string",
"timelineId": "string",
"updated": 42.0,
"updatedBy": "string",
"noteId": "string",
"version": "string"
}
}
Body Required
The pinned event to add or update, along with additional metadata.
-
pinnedEventId string | null
curl \
--request PATCH https://<KIBANA_URL>/api/pinned_event \
--header "Content-Type: application/json" \
--data '{"eventId":"string","pinnedEventId":"string","timelineId":"string"}'
{
"eventId": "string",
"pinnedEventId": "string",
"timelineId": "string"
}
{
"created": 42.0,
"createdBy": "string",
"eventId": "string",
"timelineId": "string",
"updated": 42.0,
"updatedBy": "string",
"pinnedEventId": "string",
"version": "string"
}
{
"unpinned": true
}
Query parameters
-
The name of the file to export
curl \
--request POST https://<KIBANA_URL>/api/timeline/_export?file_name=string \
--header "Content-Type: application/json" \
--data '{"ids":["string"]}'
{
"ids": [
"string"
]
}
string
{
"body": "string",
"statusCode": 42.0
}
Enable an SLO Beta
You must have the write
privileges for the SLOs feature in the Observability section of the Kibana feature privileges.
Path parameters
-
An identifier for the space. If
/s/
and the identifier are omitted from the path, the default space is used. -
An identifier for the slo.
curl \
--request POST https://<KIBANA_URL>/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414/enable \
--header "kbn-xsrf: string"
{
"error": "Bad Request",
"message": "Invalid value 'foo' supplied to: [...]",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Unauthorized",
"message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
"statusCode": 403
}
{
"error": "Not Found",
"message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
"statusCode": 404
}