Kibana Serverless APIs
1.0.2
Base URL
http://localhost:5622
http://localhost:5622The Kibana REST APIs for Elastic serverless enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with kbn: and run the request in
Dev Tools → Console. For example:
GET kbn:/api/data_views
Documentation source and versions
This documentation is derived from the main branch of the kibana repository.
It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This is version 1.0.2 of this API documentation.
Last update on Apr 22, 2025.
Delete a snooze schedule for a rule
Path parameters
-
ruleId
string Required The identifier for the rule.
-
scheduleId
string Required The identifier for the snooze schedule.
DELETE
/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
curl \
--request DELETE 'http://localhost:5622/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Connectors
Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.
Get connector types
You do not need any Kibana feature privileges to run this API.
Query parameters
-
feature_id
string A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).
GET
/api/actions/connector_types
curl \
--request GET 'http://localhost:5622/api/actions/connector_types' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": ".gen-ai",
"name": "OpenAI",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity",
"generativeAIForObservability",
"generativeAIForSearchPlayground"
],
"minimum_license_required": "enterprise"
},
{
"id": ".bedrock",
"name": "AWS Bedrock",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity",
"generativeAIForObservability",
"generativeAIForSearchPlayground"
],
"minimum_license_required": "enterprise"
},
{
"id": ".gemini",
"name": "Google Gemini",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity"
],
"minimum_license_required": "enterprise"
}
]Delete a connector
WARNING: When you delete a connector, it cannot be recovered.
Path parameters
-
id
string Required An identifier for the connector.
DELETE
/api/actions/connector/{id}
curl \
--request DELETE 'http://localhost:5622/api/actions/connector/{id}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Upgrade an agent
[Required authorization] Route required privileges: fleet-agents-all.
Path parameters
-
agentId
string Required
Body
-
force
boolean -
skipRateLimitCheck
boolean -
source_uri
string -
version
string Required
POST
/api/fleet/agents/{agentId}/upgrade
curl \
--request POST 'http://localhost:5622/api/fleet/agents/{agentId}/upgrade' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"skipRateLimitCheck":true,"source_uri":"string","version":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"skipRateLimitCheck": true,
"source_uri": "string",
"version": "string"
}
Response examples (200)
{}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Bulk reassign agents
[Required authorization] Route required privileges: fleet-agents-all.
Body
agents
array[string] | string Required -
batchSize
number -
includeInactive
boolean Default value is
false. -
policy_id
string Required
POST
/api/fleet/agents/bulk_reassign
curl \
--request POST 'http://localhost:5622/api/fleet/agents/bulk_reassign' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"agents": [
"string"
],
"batchSize": 42.0,
"includeInactive": false,
"policy_id": "string"
}
Response examples (200)
{
"actionId": "string"
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Get an agent binary download source
Get an agent binary download source by ID.
[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.
Path parameters
-
sourceId
string Required
GET
/api/fleet/agent_download_sources/{sourceId}
curl \
--request GET 'http://localhost:5622/api/fleet/agent_download_sources/{sourceId}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"item": {
"host": "https://example.com",
"id": "string",
"is_default": false,
"name": "string",
"proxy_id": "string",
"secrets": {
"ssl": {
"key": {
"id": "string"
}
}
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string"
}
}
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Copy an agent policy
Copy an agent policy by ID.
[Required authorization] Route required privileges: fleet-agent-policies-all.
Path parameters
-
agentPolicyId
string Required
Query parameters
-
format
string Values are
simplifiedorlegacy.
Body
-
description
string -
name
string Required Minimum length is
1.
POST
/api/fleet/agent_policies/{agentPolicyId}/copy
curl \
--request POST 'http://localhost:5622/api/fleet/agent_policies/{agentPolicyId}/copy' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"description":"string","name":"string"}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"name": "string"
}
Response examples (200)
{
"item": {
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Get agents
[Required authorization] Route required privileges: fleet-agents-read.
Query parameters
-
page
number -
perPage
number Default value is
20. -
kuery
string -
showInactive
boolean Default value is
false. -
withMetrics
boolean Default value is
false. -
showUpgradeable
boolean Default value is
false. -
getStatusSummary
boolean Default value is
false. -
sortField
string -
sortOrder
string Values are
ascordesc. -
searchAfter
string -
openPit
boolean -
pitId
string -
pitKeepAlive
string
GET
/api/fleet/agents
curl \
--request GET 'http://localhost:5622/api/fleet/agents' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"items": [
{
"access_api_key": "string",
"access_api_key_id": "string",
"active": true,
"agent": {
"id": "string",
"version": "string"
},
"audit_unenrolled_reason": "string",
"components": [
{
"id": "string",
"message": "string",
"status": "STARTING",
"type": "string",
"units": [
{
"id": "string",
"message": "string",
"payload": {},
"status": "STARTING",
"type": "input"
}
]
}
],
"default_api_key": "string",
"default_api_key_history": [
{
"id": "string",
"retired_at": "string"
}
],
"default_api_key_id": "string",
"enrolled_at": "string",
"id": "string",
"last_checkin": "string",
"last_checkin_message": "string",
"last_checkin_status": "error",
"local_metadata": {},
"metrics": {
"cpu_avg": 42.0,
"memory_size_byte_avg": 42.0
},
"namespaces": [
"string"
],
"outputs": {
"additionalProperty1": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
},
"additionalProperty2": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
}
},
"packages": [
"string"
],
"policy_id": "string",
"policy_revision": 42.0,
"sort": [],
"status": "offline",
"tags": [
"string"
],
"type": "PERMANENT",
"unenrolled_at": "string",
"unenrollment_started_at": "string",
"unhealthy_reason": [
"input"
],
"upgrade_attempts": [
"string"
],
"upgrade_details": {
"action_id": "string",
"metadata": {
"download_percent": 42.0,
"download_rate": 42.0,
"error_msg": "string",
"failed_state": "UPG_REQUESTED",
"retry_error_msg": "string",
"retry_until": "string",
"scheduled_at": "string"
},
"state": "UPG_REQUESTED",
"target_version": "string"
},
"upgrade_started_at": "string",
"upgraded_at": "string",
"user_provided_metadata": {}
}
],
"nextSearchAfter": "string",
"page": 42.0,
"perPage": 42.0,
"pit": "string",
"statusSummary": {
"additionalProperty1": 42.0,
"additionalProperty2": 42.0
},
"total": 42.0
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Get an agent
Get an agent by ID.
[Required authorization] Route required privileges: fleet-agents-read.
Path parameters
-
agentId
string Required
Query parameters
-
withMetrics
boolean Default value is
false.
GET
/api/fleet/agents/{agentId}
curl \
--request GET 'http://localhost:5622/api/fleet/agents/{agentId}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"item": {
"access_api_key": "string",
"access_api_key_id": "string",
"active": true,
"agent": {
"id": "string",
"version": "string"
},
"audit_unenrolled_reason": "string",
"components": [
{
"id": "string",
"message": "string",
"status": "STARTING",
"type": "string",
"units": [
{
"id": "string",
"message": "string",
"payload": {},
"status": "STARTING",
"type": "input"
}
]
}
],
"default_api_key": "string",
"default_api_key_history": [
{
"id": "string",
"retired_at": "string"
}
],
"default_api_key_id": "string",
"enrolled_at": "string",
"id": "string",
"last_checkin": "string",
"last_checkin_message": "string",
"last_checkin_status": "error",
"local_metadata": {},
"metrics": {
"cpu_avg": 42.0,
"memory_size_byte_avg": 42.0
},
"namespaces": [
"string"
],
"outputs": {
"additionalProperty1": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
},
"additionalProperty2": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
}
},
"packages": [
"string"
],
"policy_id": "string",
"policy_revision": 42.0,
"sort": [],
"status": "offline",
"tags": [
"string"
],
"type": "PERMANENT",
"unenrolled_at": "string",
"unenrollment_started_at": "string",
"unhealthy_reason": [
"input"
],
"upgrade_attempts": [
"string"
],
"upgrade_details": {
"action_id": "string",
"metadata": {
"download_percent": 42.0,
"download_rate": 42.0,
"error_msg": "string",
"failed_state": "UPG_REQUESTED",
"retry_error_msg": "string",
"retry_until": "string",
"scheduled_at": "string"
},
"state": "UPG_REQUESTED",
"target_version": "string"
},
"upgrade_started_at": "string",
"upgraded_at": "string",
"user_provided_metadata": {}
}
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Install a package by upload
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
Query parameters
-
ignoreMappingUpdateErrors
boolean Default value is
false. -
skipDataStreamRollover
boolean Default value is
false.
Body
string(binary)
string(binary)
POST
/api/fleet/epm/packages
curl \
--request POST 'http://localhost:5622/api/fleet/epm/packages' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/gzip; application/zip" \
--header "kbn-xsrf: true" \
--data-binary '@file'Revoke an enrollment API key
Revoke an enrollment API key by ID by marking it as inactive.
[Required authorization] Route required privileges: fleet-agents-all.
Path parameters
-
keyId
string Required
DELETE
/api/fleet/enrollment_api_keys/{keyId}
curl \
--request DELETE 'http://localhost:5622/api/fleet/enrollment_api_keys/{keyId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
Response examples (200)
{
"action": "deleted"
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Initiate Fleet setup
[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.
POST
/api/fleet/setup
curl \
--request POST 'http://localhost:5622/api/fleet/setup' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
Response examples (200)
{
"isInitialized": true,
"nonFatalErrors": [
{
"message": "string",
"name": "string"
}
]
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}
Response examples (500)
{
"message": "string"
}Get the latest output health
[Required authorization] Route required privileges: fleet-settings-read.
Path parameters
-
outputId
string Required
GET
/api/fleet/outputs/{outputId}/health
curl \
--request GET 'http://localhost:5622/api/fleet/outputs/{outputId}/health' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"message": "string",
"state": "string",
"timestamp": "string"
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Upgrade a package policy
Upgrade a package policy to a newer package version.
[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.
Body
-
packagePolicyIds
array[string] Required
POST
/api/fleet/package_policies/upgrade
curl \
--request POST 'http://localhost:5622/api/fleet/package_policies/upgrade' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"packagePolicyIds":["string"]}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"packagePolicyIds": [
"string"
]
}
Response examples (200)
[
{
"body": {
"message": "string"
},
"id": "string",
"name": "string",
"statusCode": 42.0,
"success": true
}
]
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Create a service token
[Required authorization] Route required privileges: fleet-agents-all.
POST
/api/fleet/service_tokens
curl \
--request POST 'http://localhost:5622/api/fleet/service_tokens' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"remote":false}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"remote": false
}
Response examples (200)
{
"name": "string",
"value": "string"
}
Response examples (400)
{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Query parameters
-
replaceDeprecatedPrivileges
boolean If
trueand the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
GET
/api/security/role
curl \
--request GET 'http://localhost:5622/api/security/role' \
--header "Authorization: $API_KEY"Export saved objects
Retrieve sets of saved objects that you want to import into Kibana. You must include type or objects in the request body.
Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.
NOTE: The savedObjects.maxImportExportSize configuration setting limits the number of saved objects which may be exported.
Body
-
excludeExportDetails
boolean Do not add export details entry at the end of the stream.
Default value is
false. hasReference
object | array[object] -
includeReferencesDeep
boolean Includes all of the referenced objects in the exported objects.
Default value is
false. -
objects
array[object] A list of objects to export. NOTE: this optiona cannot be combined with
typesoptionNot more than
10000elements. -
search
string Search for documents to export using the Elasticsearch Simple Query String syntax.
type
string | array[string] The saved object types to include in the export. Use
*to export all the types.
POST
/api/saved_objects/_export
curl \
--request POST 'http://localhost:5622/api/saved_objects/_export' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"objects":[{"id":"de71f4f0-1902-11e9-919b-ffe5949a18d2","type":"map"}],"excludeExportDetails":true,"includeReferencesDeep":false}'
Request example
{
"objects": [
{
"id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
"type": "map"
}
],
"excludeExportDetails": true,
"includeReferencesDeep": false
}
Response examples (200)
{
"id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
"type": "map",
"managed": false,
"version": "WzEzLDFd",
"attributes": {
"title": "[Logs] Total Requests and Bytes",
"description": "",
"uiStateJSON": "{\"isDarkMode\":false}",
"mapStateJSON": "{\"zoom\":3.64,\"center\":{\"lon\":-88.92107,\"lat\":42.16337},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"settings\":{\"autoFitToDataBounds\":false}}",
"layerListJSON": "[{\"id\":\"0hmz5\",\"alpha\":1,\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"visible\":true,\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"minZoom\":0,\"maxZoom\":24},{\"id\":\"edh66\",\"label\":\"Total Requests by Destination\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.5,\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\",\"iso2\"]},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e\",\"origin\":\"join\"},\"color\":\"Greys\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":10}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\",\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"673ff994-fc75-4c67-909b-69fcb0e1060e\",\"indexPatternTitle\":\"kibana_sample_data_logs\",\"term\":\"geo.dest\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"}],\"applyGlobalQuery\":true}}]},{\"id\":\"gaxya\",\"label\":\"Actual Requests\",\"minZoom\":9,\"maxZoom\":24,\"alpha\":1,\"sourceDescriptor\":{\"id\":\"b7486535-171b-4d3b-bb2e-33c1a0a2854c\",\"type\":\"ES_SEARCH\",\"geoField\":\"geo.coordinates\",\"limit\":2048,\"filterByMapBounds\":true,\"tooltipProperties\":[\"clientip\",\"timestamp\",\"host\",\"request\",\"response\",\"machine.os\",\"agent\",\"bytes\"],\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#2200ff\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"bytes\",\"origin\":\"source\"},\"minSize\":1,\"maxSize\":23,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"},{\"id\":\"tfi3f\",\"label\":\"Total Requests and Bytes\",\"minZoom\":0,\"maxZoom\":9,\"alpha\":1,\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"resolution\":\"COARSE\",\"id\":\"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b\",\"geoField\":\"geo.coordinates\",\"requestType\":\"point\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"},{\"type\":\"sum\",\"field\":\"bytes\"}],\"indexPatternRefName\":\"layer_3_source_index_pattern\",\"applyGlobalQuery\":true},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#cccccc\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"sum_of_bytes\",\"origin\":\"source\"},\"minSize\":7,\"maxSize\":25,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":12,\"maxSize\":24,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"}]"
},
"created_at": "2023-08-23T20:03:32.204Z",
"references": [
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "layer_1_join_0_index_pattern",
"type": "index-pattern"
},
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "layer_2_source_index_pattern",
"type": "index-pattern"
},
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "layer_3_source_index_pattern",
"type": "index-pattern"
}
],
"updated_at": "2023-08-23T20:03:32.204Z",
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "8.4.0"
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 400
}Create a conversation
Create a new Security AI Assistant conversation.
Body
Required
-
apiConfig
object LLM API configuration.
-
category
string The conversation category.
Values are
assistantorinsights. -
excludeFromLastConversationStorage.
-
id
string The conversation id.
-
messages
array[object] The conversation messages.
AI assistant conversation message.
-
replacements
object Replacements object used to anonymize/deanomymize messsages
-
title
string Required The conversation title.
POST
/api/security_ai_assistant/current_user/conversations
curl \
--request POST 'http://localhost:5622/api/security_ai_assistant/current_user/conversations' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"title":"string"}'
Request examples
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"excludeFromLastConversationStorage": true,
"id": "string",
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"title": "string"
}
Response examples (200)
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Get a conversation
Get the details of an existing conversation using the conversation ID.
Path parameters
-
id
string(nonempty) Required The conversation's
idvalue.Minimum length is
1.
GET
/api/security_ai_assistant/current_user/conversations/{id}
curl \
--request GET 'http://localhost:5622/api/security_ai_assistant/current_user/conversations/{id}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Update a conversation
Update an existing conversation using the conversation ID.
Path parameters
-
id
string(nonempty) Required The conversation's
idvalue.Minimum length is
1.
Body
Required
-
apiConfig
object LLM API configuration.
-
category
string The conversation category.
Values are
assistantorinsights. -
excludeFromLastConversationStorage.
-
id
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
messages
array[object] The conversation messages.
AI assistant conversation message.
-
replacements
object Replacements object used to anonymize/deanomymize messsages
-
summary
object -
title
string The conversation title.
PUT
/api/security_ai_assistant/current_user/conversations/{id}
curl \
--request PUT 'http://localhost:5622/api/security_ai_assistant/current_user/conversations/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"summary":{"confidence":"low","content":"string","public":true,"timestamp":"string"},"title":"string"}'
Request examples
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"excludeFromLastConversationStorage": true,
"id": "string",
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"title": "string"
}
Response examples (200)
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Create a KnowledgeBase
Create a KnowledgeBase
Path parameters
-
resource
string The KnowledgeBase
resourcevalue.
Query parameters
-
modelId
string Optional ELSER modelId to use when setting up the Knowledge Base
-
ignoreSecurityLabs
boolean Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base
Default value is
false.
POST
/api/security_ai_assistant/knowledge_base/{resource}
curl \
--request POST 'http://localhost:5622/api/security_ai_assistant/knowledge_base/{resource}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"success": true
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Query parameters
-
fields
array[string] -
filter
string Search query
-
sort_field
string Field to sort by
Values are
created_at,is_default,name, orupdated_at. -
sort_order
string Sort order
Values are
ascordesc. -
page
integer Page number
Minimum value is
1. Default value is1. -
per_page
integer Prompts per page
Minimum value is
0. Default value is20.
GET
/api/security_ai_assistant/prompts/_find
curl \
--request GET 'http://localhost:5622/api/security_ai_assistant/prompts/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"data": [
{
"categories": [
"string"
],
"color": "string",
"consumer": "string",
"content": "string",
"createdAt": "string",
"createdBy": "string",
"id": "string",
"isDefault": true,
"isNewConversationDefault": true,
"name": "string",
"namespace": "string",
"promptType": "system",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
],
"page": 42,
"perPage": 42,
"total": 42
}
Response examples (400)
{
"error": "string",
"message": "string",
"statusCode": 42.0
}Assign and unassign users from detection alerts
Assign users to detection alerts, and unassign them from alerts.
You cannot add and remove the same assignee in the same request.
POST
/api/detection_engine/signals/assignees
curl \
--request POST 'http://localhost:5622/api/detection_engine/signals/assignees' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"],"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]}}'
Request examples
Add
{
"ids": [
"681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
],
"assignees": {
"add": [
"u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
],
"remove": []
}
}{
"ids": [
"681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
],
"assignees": {
"add": [],
"remove": [
"u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
]
}
}
Response examples (200)
{
"took": "76,",
"noops": "0,",
"total": "1,",
"batches": "1,",
"deleted": "0,",
"retries": [
{
"bulk": "0,"
},
{
"search": 0
}
],
"updated": "1,",
"failures": [],
"timed_out": "false,",
"throttled_millis": "0,",
"version_conflicts": "0,",
"requests_per_second": "-1,",
"throttled_until_millis": "0,"
}Set a detection alert status
Set the status of one or more detection alerts.
Body
object
Required
An object containing desired status and explicit alert ids or a query to select alerts
-
signal_ids
array[string(nonempty)] Required List of alert
ids.At least
1element. Minimum length of each is1. -
status
string Required The status of an alert, which can be
open,acknowledged,in-progress, orclosed.Values are
open,closed,acknowledged, orin-progress.
POST
/api/detection_engine/signals/status
curl \
--request POST 'http://localhost:5622/api/detection_engine/signals/status' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"status":"closed","signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"]}'
Request examples
By
{
"status": "closed",
"signal_ids": [
"80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"
]
}{
"query": {
"bool": {
"must": [],
"filter": [
{
"range": null,
"@timestamp": {
"gte": "2024-10-23T07:00:00.000Z",
"lte": "2025-01-21T20:12:11.704Z",
"format": "strict_date_optional_time"
}
},
{
"bool": {
"filter": {
"bool": {
"must": [],
"filter": [
{
"match_phrase": {
"kibana.alert.workflow_status": "open"
}
},
{
"range": null,
"@timestamp": {
"gte": "2024-10-23T07:00:00.000Z",
"lte": "2025-01-21T20:12:11.704Z",
"format": "strict_date_optional_time"
}
}
],
"should": [],
"must_not": [
{
"exists": {
"field": "kibana.alert.building_block_type"
}
}
]
}
}
}
}
],
"should": [],
"must_not": []
}
},
"status": "closed",
"conflicts": "proceed"
}
Response examples (200)
By
{
"took": 81,
"noops": 0,
"total": 1,
"batches": 1,
"deleted": 0,
"retries": {
"bulk": 0,
"search": 0
},
"updated": 1,
"failures": [],
"timed_out": false,
"throttled_millis": 0,
"version_conflicts": 0,
"requests_per_second": -1,
"throttled_until_millis": 0
}{
"took": 100,
"noops": 0,
"total": 17,
"batches": 1,
"deleted": 0,
"retries": {
"bulk": 0,
"search": 0
},
"updated": 17,
"failures": [],
"timed_out": false,
"throttled_millis": 0,
"version_conflicts": 0,
"requests_per_second": -1,
"throttled_until_millis": 0
}
Response examples (400)
Security_detections_api_platformerrorresponse
{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}
Response examples (401)
{
"error": "string",
"message": "string",
"statusCode": 42
}
Response examples (500)
{
"message": "string",
"status_code": 42
}Suspend a process
Suspend a running process on an endpoint.
Body
Required
-
agent_type
string List of agent types to retrieve. Defaults to
endpoint.Values are
endpoint,sentinel_one,crowdstrike, ormicrosoft_defender_endpoint. -
alert_ids
array[string(nonempty)] A list of alerts
ids.At least
1element. Minimum length of each is1. -
case_ids
array[string] Case IDs to be updated (cannot contain empty strings)
At least
1element. Minimum length of each is1. -
comment
string Optional comment
-
endpoint_ids
array[string] Required List of endpoint IDs (cannot contain empty strings)
At least
1element. Minimum length of each is1. parameters
object Required -
parameters
object Optional parameters object
POST
/api/endpoint/action/suspend_process
curl \
--request POST 'http://localhost:5622/api/endpoint/action/suspend_process' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"comment":"suspend the process","parameters":{"entity_id":"abc123"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example
{
"comment": "suspend the process",
"parameters": {
"entity_id": "abc123"
},
"endpoint_ids": [
"ed518850-681a-4d60-bb98-e22640cae2a8"
]
}
Response examples (200)
{
"data": {
"id": "233db9ea-6733-4849-9226-5a7039c7161d",
"agents": [
"ed518850-681a-4d60-bb98-e22640cae2a8"
],
"errors": [],
"command": "suspend-process",
"comment": "suspend the process",
"outputs": {
"ed518850-681a-4d60-bb98-e22640cae2a8": {
"type": "json",
"content": {
"key": "value"
}
}
},
"agentType": "endpoint",
"createdBy": "myuser",
"isExpired": false,
"startedAt": "2022-07-29T19:08:49.126Z",
"parameters": {
"entity_id": "abc123"
},
"completedAt": "2022-07-29T19:09:44.961Z",
"isCompleted": true,
"wasSuccessful": true
}
}