Security Osquery

Get rule details

GET /api/alerting/rule/{id}

Path parameters

id string Required

The identifier for the rule.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id}

curl \
 --request GET 'https://<KIBANA_URL>/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "actions": [
    {
      "alerts_filter": {
        "query": {
          "dsl": "string",
          "filters": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {},
              "query": {}
            }
          ],
          "kql": "string"
        },
        "timeframe": {
          "days": [
            1
          ],
          "hours": {
            "end": "string",
            "start": "string"
          },
          "timezone": "string"
        }
      },
      "connector_type_id": "string",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": true,
        "throttle": "string"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "use_alert_data_for_template": true,
      "uuid": "string"
    }
  ],
  "active_snoozes": [
    "string"
  ],
  "alert_delay": {
    "active": 42.0
  },
  "api_key_created_by_user": true,
  "api_key_owner": "string",
  "consumer": "string",
  "created_at": "string",
  "created_by": "string",
  "enabled": true,
  "execution_status": {
    "error": {
      "message": "string",
      "reason": "read"
    },
    "last_duration": 42.0,
    "last_execution_date": "string",
    "status": "ok",
    "warning": {
      "message": "string",
      "reason": "maxExecutableActions"
    }
  },
  "flapping": {
    "look_back_window": 42.0,
    "status_change_threshold": 42.0
  },
  "id": "string",
  "is_snoozed_until": "string",
  "last_run": {
    "alerts_count": {
      "active": 42.0,
      "ignored": 42.0,
      "new": 42.0,
      "recovered": 42.0
    },
    "outcome": "succeeded",
    "outcome_msg": [
      "string"
    ],
    "outcome_order": 42.0,
    "warning": "read"
  },
  "mapped_params": {},
  "monitoring": {
    "run": {
      "calculated_metrics": {
        "p50": 42.0,
        "p95": 42.0,
        "p99": 42.0,
        "success_ratio": 42.0
      },
      "history": [
        {
          "duration": 42.0,
          "outcome": "succeeded",
          "success": true,
          "timestamp": 42.0
        }
      ],
      "last_run": {
        "metrics": {
          "duration": 42.0,
          "gap_duration_s": 42.0,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_alerts_created": 42.0,
          "total_alerts_detected": 42.0,
          "total_indexing_duration_ms": 42.0,
          "total_search_duration_ms": 42.0
        },
        "timestamp": "string"
      }
    }
  },
  "mute_all": true,
  "muted_alert_ids": [
    "string"
  ],
  "name": "string",
  "next_run": "string",
  "notify_when": "onActionGroupChange",
  "params": {},
  "revision": 42.0,
  "rule_type_id": "string",
  "running": true,
  "schedule": {
    "interval": "string"
  },
  "scheduled_task_id": "string",
  "snooze_schedule": [
    {
      "duration": 42.0,
      "id": "string",
      "rRule": {
        "byhour": [
          42.0
        ],
        "byminute": [
          42.0
        ],
        "bymonth": [
          42.0
        ],
        "bymonthday": [
          42.0
        ],
        "bysecond": [
          42.0
        ],
        "bysetpos": [
          42.0
        ],
        "byweekday": [
          "string"
        ],
        "byweekno": [
          42.0
        ],
        "byyearday": [
          42.0
        ],
        "count": 42.0,
        "dtstart": "string",
        "freq": 0,
        "interval": 42.0,
        "tzid": "string",
        "until": "string",
        "wkst": "MO"
      },
      "skipRecurrences": [
        "string"
      ]
    }
  ],
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updated_at": "string",
  "updated_by": "string",
  "view_in_app_relative_url": "string"
}

Create a rule

POST /api/alerting/rule/{id}

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json

Body

actions array[object]

An action that runs under defined conditions.

Default value is [] (empty).
Hide actions attributes Show actions attributes object
- alerts_filter object
  
  Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
  
  Additional properties are NOT allowed.
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
- frequency object
  
  Additional properties are NOT allowed.
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
- id string Required
  
  The identifier for the connector saved object.
- params object
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Default value is {} (empty). Additional properties are allowed.
- use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
- uuid string
  
  A universally unique identifier (UUID) for the action.
alert_delay object

Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

Additional properties are NOT allowed.
Hide alert_delay attribute Show alert_delay attribute object
- active number Required
  
  The number of consecutive runs that must meet the rule conditions.
consumer string Required

The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
enabled boolean

Indicates whether you want to run the rule on an interval basis after it is created.

Default value is true.
flapping object | null

When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

Additional properties are NOT allowed.
Hide flapping attributes Show flapping attributes object | null
- look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
- status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
name string Required

The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when string | null

Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
rule_type_id string Required

The rule type identifier.
schedule object Required

The check interval, which specifies how frequently the rule conditions are checked.

Additional properties are NOT allowed.
Hide schedule attribute Show schedule attribute object
- interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
tags array[string]

The tags for the rule.

Default value is [] (empty).
throttle string | null

Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
params object

The parameters for the rule.
Any of:
params_property_apm_anomaly object params_property_apm_error_count object params_property_apm_transaction_duration object params_property_apm_transaction_error_rate object params_es_query_dsl_rule object params_es_query_esql_rule object params_es_query_kql_rule object params_index_threshold_rule object params_property_infra_inventory object Count object Ratio object params_property_infra_metric_threshold object params_property_slo_burn_rate object params_property_synthetics_uptime_tls object params_property_synthetics_monitor_status object
Hide attributes Show attributes

serviceName string

Filter the rule to apply to a specific service name.

transactionType string

Filter the rule to apply to a specific transaction type.

windowSize number Required

The size of the time window (in windowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window. For example: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the rule to apply to a specific environment.

anomalySeverityType string Required

The severity of anomalies that will generate alerts: critical, major, minor, or warning.

Values are critical, major, minor, or warning.
Hide attributes Show attributes

serviceName string

Filter the errors coming from your application to apply the rule to a specific service.

windowSize number Required

The time frame in which the errors must occur (in windowUnit units). Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the errors coming from your application to apply the rule to a specific environment.

threshold number Required

The error count threshold.

groupBy array[string]

Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.

Values are service.name, service.environment, transaction.name, or error.grouping_key. Default value is ["service.name", "service.environment"].

errorGroupingKey string

Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties.
Hide attributes Show attributes

serviceName string

Filter the rule to apply to a specific service.

transactionType string

Filter the rule to apply to a specific transaction type.

transactionName string

Filter the rule to apply to a specific transaction name.

windowSize number Required

The size of the time window (in windowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window. For example: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the rule to apply to a specific environment.

threshold number Required

The latency threshold value.

groupBy array[string]

Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].

aggregationType string Required

The type of aggregation to perform.

Values are avg, 95th, or 99th.
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

transactionName string

The transaction name from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

threshold number Required

The error rate threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].
An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esQuery string Required

The query definition, which uses Elasticsearch Query DSL.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] | string Required

The indices to query.

One of:
array-1 array[string] string-2 string

searchType string

The type of query, in this case a query that uses Elasticsearch Query DSL.

Value is esQuery. Default value is esQuery.

size integer

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esqlQuery object Required

Hide esqlQuery attribute Show esqlQuery attribute object

esql string Required

The query definition, which uses Elasticsearch Query Language.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchType string Required

The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).

Value is esqlQuery.

size integer Required

When searchType is esqlQuery, this property is required but it does not affect the rule behavior.

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. When searchType is esqlQuery, this property is required and must be set to zero.

Minimum value of each is 0, maximum value of each is 0.

thresholdComparator string Required

The comparison function for the threshold. When searchType is esqlQuery, this property is required and must be set to ">". Since the threshold value must be 0, the result is that an alert occurs whenever the query returns results.

Value is >.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchConfiguration object

The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.

Hide searchConfiguration attributes Show searchConfiguration attributes object

filter array[object]

A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

Hide filter attributes Show filter attributes object

meta object

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

$state object

index string | array[string]

The indices to query.

One of:
string-1 string array-2 array[string]

query object

Hide query attributes Show query attributes object

language string

query string

searchType string Required

The type of query, in this case a text-based query that uses KQL or Lucene.

Value is searchSource.

size integer Required

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when rule_type_id is .index-threshold.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

filterKuery string

A KQL expression thats limits the scope of alerts.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] Required

The indices to query.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

metric string

Values are count, cpu, diskLatency, load, memory, memoryTotal, tx, rx, logRate, diskIOReadBytes, diskIOWriteBytes, s3TotalRequests, s3NumberOfObjects, s3BucketSize, s3DownloadBytes, s3UploadBytes, rdsConnections, rdsQueriesExecuted, rdsActiveTransactions, rdsLatency, sqsMessagesVisible, sqsMessagesDelayed, sqsMessagesSent, sqsMessagesEmpty, sqsOldestMessage, or custom.

timeSize number

timeUnit string

Values are s, m, h, or d.

sourceId string

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

customMetric object

Hide customMetric attributes Show customMetric attributes object

type string

Value is custom.

field string

aggregation string

Values are avg, max, min, or rate.

id string

label string

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

filterQuery string

filterQueryText string

nodeType string

Values are host, pod, container, awsEC2, awsS3, awsSQS, or awsRDS.

sourceId string

alertOnNoData boolean
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[array]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[object]

One of:
non count criterion object count criterion object custom criterion object

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

metric string

aggType string

Values are avg, max, min, cardinality, rate, count, sum, p95, p99, or custom.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is count.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is custom.

customMetric array[object]

One of:
object-1 object object-2 object

Hide attributes Show attributes

name string

aggType string

Values are avg, sum, max, min, or cardinality.

field string

equation string

label string

groupBy string | array[string]

One of:
string-1 string array-2 array[string]

filterQuery string

sourceId string

alertOnNoData boolean

alertOnGroupDisappear boolean
Hide attributes Show attributes

sloId string

The SLO identifier used by the rule

burnRateThreshold number

The burn rate threshold used to trigger the alert

maxBurnRateThreshold number

The maximum burn rate threshold value defined by the SLO error budget

longWindow object

The duration of the long window used to compute the burn rate

Hide longWindow attributes Show longWindow attributes object

value number

The duration value

unit string

The duration unit

shortWindow object

The duration of the short window used to compute the burn rate

Hide shortWindow attributes Show shortWindow attributes object

value number

The duration value

unit string

The duration unit
Hide attributes Show attributes

search string

certExpirationThreshold number

certAgeThreshold number
Hide attributes Show attributes

availability object

Hide availability attributes Show availability attributes object

range number

rangeUnit string

threshold string

filters string | object

One of:
string-1 string object-2 object Deprecated

locations array[string] Deprecated

numTimes number Required

search string

shouldCheckStatus boolean Required

shouldCheckAvailability boolean Required

timerangeCount number

timerangeUnit string

timerange object Deprecated

Hide timerange attributes Show timerange attributes object Deprecated

from string

to string

version number

isAutoGenerated boolean

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
409

Indicates that the rule id is already in use.

POST /api/alerting/rule/{id}

curl \
 --request POST 'https://<KIBANA_URL>/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'

Request examples

Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.

{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}

Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.

{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}

Response examples (200)

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).

{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).

{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}

The response for successfully creating an index threshold rule.

{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}

The response for successfully creating a tracking containment rule.

{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Get CCR Remote synced integrations status

GET /api/fleet/remote_synced_integrations/status

Api key auth

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.

Responses

200 application/json
Hide response attributes Show response attributes object
- custom_assets object
  
  Hide custom_assets attribute Show custom_assets attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  name string Required
  
  package_name string Required
  
  package_version string Required
  
  sync_status string Required
  
  Values are completed, synchronizing, or failed.
  
  type string Required
- error string
- integrations array[object] Required
  
  Hide integrations attributes Show integrations attributes object
  
  error string
  
  id string
  
  package_name string
  
  package_version string
  
  sync_status string Required
  
  Values are completed, synchronizing, or failed.
  
  updated_at string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/remote_synced_integrations/status

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/remote_synced_integrations/status' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "custom_assets": {
    "additionalProperty1": {
      "name": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "type": "string"
    },
    "additionalProperty2": {
      "name": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "type": "string"
    }
  },
  "error": "string",
  "integrations": [
    {
      "error": "string",
      "id": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "updated_at": "string"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a data view

DELETE /api/data_views/data_view/{viewId}

Api key auth

WARNING: When you delete a data view, it cannot be recovered.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

viewId string Required

An identifier for the data view.

Responses

204

Indicates a successful call.
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

DELETE /api/data_views/data_view/{viewId}

curl \
 --request DELETE 'https://<KIBANA_URL>/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Response examples (404)

{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Preview a saved object reference swap

POST /api/data_views/swap_references/_preview

Api key auth

Preview the impact of swapping saved object references from one data view identifier to another.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body Required

delete boolean

Deletes referenced saved object if all references are removed.
forId string | array[string]

Limit the affected saved objects to one or more by identifier.

One of:
string-1 string array-2 array[string]
forType string

Limit the affected saved objects by type.
fromId string Required

The saved object reference to change.
fromType string

Specify the type of the saved object reference to alter. The default value is index-pattern for data views.
toId string Required

New saved object reference value to replace the old value.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- result array[object]
  
  Hide result attributes Show result attributes object
  
  id string
  
  A saved object identifier.
  
  type string
  
  The saved object type.

POST /api/data_views/swap_references/_preview

curl \
 --request POST 'https://<KIBANA_URL>/api/data_views/swap_references/_preview' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"toId":"xyz-123","fromId":"abcd-efg"}'

Request example

{
  "toId": "xyz-123",
  "fromId": "abcd-efg"
}

Response examples (200)

{
  "result": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}

Upgrade an agent

POST /api/fleet/agents/{agentId}/upgrade

Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

agentId string Required

application/json

Body

force boolean
skipRateLimitCheck boolean
source_uri string
version string Required

Responses

200 application/json

Additional properties are NOT allowed.
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agents/{agentId}/upgrade

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agents/{agentId}/upgrade' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"skipRateLimitCheck":true,"source_uri":"string","version":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "skipRateLimitCheck": true,
  "source_uri": "string",
  "version": "string"
}

Response examples (200)

{}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent action status

GET /api/fleet/agents/action_status

Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

page number

Default value is 0.
perPage number

Default value is 20.
date string
latest number
errorSize number

Default value is 5.

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  actionId string Required
  
  cancellationTime string
  
  completionTime string
  
  creationTime string Required
  
  creation time of action
  
  expiration string
  
  hasRolloutPeriod boolean
  
  is_automatic boolean
  
  latestErrors array[object]
  
  latest errors that happened when the agents executed the action
  
  Hide latestErrors attributes Show latestErrors attributes object
  
  agentId string Required
  
  error string Required
  
  hostname string
  
  timestamp string Required
  
  nbAgentsAck number Required
  
  number of agents that acknowledged the action
  
  nbAgentsActionCreated number Required
  
  number of agents included in action from kibana
  
  nbAgentsActioned number Required
  
  number of agents actioned
  
  nbAgentsFailed number Required
  
  number of agents that failed to execute the action
  
  newPolicyId string
  
  new policy id (POLICY_REASSIGN action)
  
  policyId string
  
  policy id (POLICY_CHANGE action)
  
  revision number
  
  new policy revision (POLICY_CHANGE action)
  
  startTime string
  
  start time of action (scheduled actions)
  
  status string Required
  
  Values are COMPLETE, EXPIRED, CANCELLED, FAILED, IN_PROGRESS, or ROLLOUT_PASSED.
  
  type string Required
  
  Values are UPGRADE, UNENROLL, SETTINGS, POLICY_REASSIGN, CANCEL, FORCE_UNENROLL, REQUEST_DIAGNOSTICS, UPDATE_TAGS, POLICY_CHANGE, or INPUT_ACTION.
  
  version string
  
  agent version number (UPGRADE action)
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agents/action_status

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agents/action_status' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "items": [
    {
      "actionId": "string",
      "cancellationTime": "string",
      "completionTime": "string",
      "creationTime": "string",
      "expiration": "string",
      "hasRolloutPeriod": true,
      "is_automatic": true,
      "latestErrors": [
        {
          "agentId": "string",
          "error": "string",
          "hostname": "string",
          "timestamp": "string"
        }
      ],
      "nbAgentsAck": 42.0,
      "nbAgentsActionCreated": 42.0,
      "nbAgentsActioned": 42.0,
      "nbAgentsFailed": 42.0,
      "newPolicyId": "string",
      "policyId": "string",
      "revision": 42.0,
      "startTime": "string",
      "status": "COMPLETE",
      "type": "UPGRADE",
      "version": "string"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk reassign agents

POST /api/fleet/agents/bulk_reassign

Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

agents array[string] | string Required

Any of:
array-1 array[string] string-2 string
batchSize number
includeInactive boolean

Default value is false.
policy_id string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- actionId string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agents/bulk_reassign

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agents/bulk_reassign' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "includeInactive": false,
  "policy_id": "string"
}

Response examples (200)

{
  "actionId": "string"
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}

Api key auth

Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.

Path parameters

agentPolicyId string Required

Query parameters

format string

Values are simplified or legacy.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  advanced_settings object
  
  Additional properties are NOT allowed.
  
  Hide advanced_settings attributes Show advanced_settings attributes object
  
  agent_download_target_directory
  
  agent_download_timeout
  
  agent_limits_go_max_procs
  
  agent_logging_files_interval
  
  agent_logging_files_keepfiles
  
  agent_logging_files_rotateeverybytes
  
  agent_logging_level
  
  agent_logging_metrics_period
  
  agent_logging_to_files
  
  agent_features array[object]
  
  Hide agent_features attributes Show agent_features attributes object
  
  enabled boolean Required
  
  name string Required
  
  agentless object
  
  Additional properties are NOT allowed.
  
  Hide agentless attribute Show agentless attribute object
  
  resources object
  
  Additional properties are NOT allowed.
  
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
  
  agents number
  
  data_output_id string | null
  
  description string
  
  download_source_id string | null
  
  fleet_server_host_id string | null
  
  global_data_tags array[object]
  
  User defined data tags that are added to all of the inputs. The values can be strings or numbers.
  
  Hide global_data_tags attributes Show global_data_tags attributes object
  
  name string Required
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  has_fleet_server boolean
  
  id string Required
  
  inactivity_timeout number
  
  Minimum value is 0. Default value is 1209600.
  
  is_default boolean
  
  is_default_fleet_server boolean
  
  is_managed boolean Required
  
  is_preconfigured boolean
  
  is_protected boolean Required
  
  Indicates whether the agent policy has tamper protection enabled. Default false.
  
  keep_monitoring_alive boolean | null
  
  When set to true, monitoring will be enabled but logs/metrics collection will be disabled
  
  Default value is false.
  
  monitoring_diagnostics object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
  
  limit object
  
  Additional properties are NOT allowed.
  
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
  
  uploader object
  
  Additional properties are NOT allowed.
  
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
  
  monitoring_enabled array[string]
  
  Values are logs, metrics, or traces.
  
  monitoring_http object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_http attributes Show monitoring_http attributes object
  
  buffer object
  
  Additional properties are NOT allowed.
  
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
  
  enabled boolean
  
  host string
  
  port number
  
  Minimum value is 0, maximum value is 65353.
  
  monitoring_output_id string | null
  
  monitoring_pprof_enabled boolean
  
  name string Required
  
  Minimum length is 1.
  
  namespace string Required
  
  Minimum length is 1.
  
  overrides object | null
  
  Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are allowed.
  
  package_policies array[string] | array[object]
  
  Any of:
  array-1 array[string] array-2 array[object]
  
  This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
  
  Hide attributes Show attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  required_versions array[object] | null
  
  Hide required_versions attributes Show required_versions attributes object
  
  percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
  
  version string Required
  
  Target version for automatic agent upgrade
  
  revision number Required
  
  schema_version string
  
  space_ids array[string]
  
  status string Required
  
  Values are active or inactive.
  
  supports_agentless boolean | null
  
  Indicates whether the agent policy supports agentless integrations.
  
  Default value is false.
  
  unenroll_timeout number
  
  Minimum value is 0.
  
  unprivileged_agents number
  
  updated_at string Required
  
  updated_by string Required
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agent_policies/{agentPolicyId}

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agent_policies/{agentPolicyId}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package file

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}

Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Path parameters

pkgName string Required
pkgVersion string Required
filePath string Required

Responses

200 application/json
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}' \
 --header "Authorization: $API_KEY"

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get installed packages

GET /api/fleet/epm/packages/installed

Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Query parameters

dataStreamType string

Values are logs, metrics, traces, synthetics, or profiling.
showOnlyActiveDataStreams boolean
nameQuery string
searchAfter array[string | number]
perPage number

Default value is 15.
sortOrder string

Values are asc or desc. Default value is asc.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  dataStreams array[object] Required
  
  Hide dataStreams attributes Show dataStreams attributes object
  
  name string Required
  
  title string Required
  
  description string
  
  icons array[object]
  
  Hide icons attributes Show icons attributes object
  
  dark_mode boolean
  
  path string
  
  size string
  
  src string Required
  
  title string
  
  type string
  
  name string Required
  
  status string Required
  
  title string
  
  version string Required
- searchAfter array[string | number | boolean]
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/packages/installed

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/packages/installed' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "items": [
    {
      "dataStreams": [
        {
          "name": "string",
          "title": "string"
        }
      ],
      "description": "string",
      "icons": [
        {
          "dark_mode": true,
          "path": "string",
          "size": "string",
          "src": "string",
          "title": "string",
          "type": "string"
        }
      ],
      "name": "string",
      "status": "string",
      "title": "string",
      "version": "string"
    }
  ],
  "searchAfter": [
    "string"
  ],
  "total": 42.0
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Create an enrollment API key

POST /api/fleet/enrollment_api_keys

Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

expiration string
name string
policy_id string Required

Responses

200 application/json
Hide response attributes Show response attributes object
- action string Required
  
  Value is created.
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  active boolean Required
  
  When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
  
  api_key string Required
  
  The enrollment API key (token) used for enrolling Elastic Agents.
  
  api_key_id string Required
  
  The ID of the API key in the Security API.
  
  created_at string Required
  
  id string Required
  
  name string
  
  The name of the enrollment API key.
  
  policy_id string
  
  The ID of the agent policy the Elastic Agent will be enrolled in.
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/enrollment_api_keys

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/enrollment_api_keys' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"expiration":"string","name":"string","policy_id":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "expiration": "string",
  "name": "string",
  "policy_id": "string"
}

Response examples (200)

{
  "action": "created",
  "item": {
    "active": true,
    "api_key": "string",
    "api_key_id": "string",
    "created_at": "string",
    "id": "string",
    "name": "string",
    "policy_id": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get settings

GET /api/fleet/settings

Api key auth

[Required authorization] Route required privileges: fleet-settings-read.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  delete_unenrolled_agents object
  
  Additional properties are NOT allowed.
  
  Hide delete_unenrolled_agents attributes Show delete_unenrolled_agents attributes object
  
  enabled boolean Required
  
  is_preconfigured boolean Required
  
  has_seen_add_data_notice boolean
  
  id string Required
  
  output_secret_storage_requirements_met boolean
  
  preconfigured_fields array[string]
  
  Value is fleet_server_hosts.
  
  prerelease_integrations_enabled boolean
  
  secret_storage_requirements_met boolean
  
  use_space_awareness_migration_started_at string | null
  
  use_space_awareness_migration_status string
  
  Values are pending, success, or error.
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
404 application/json
Hide response attribute Show response attribute object
- message string Required

GET /api/fleet/settings

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/settings' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "item": {
    "delete_unenrolled_agents": {
      "enabled": true,
      "is_preconfigured": true
    },
    "has_seen_add_data_notice": true,
    "id": "string",
    "output_secret_storage_requirements_met": true,
    "preconfigured_fields": [
      "fleet_server_hosts"
    ],
    "prerelease_integrations_enabled": true,
    "secret_storage_requirements_met": true,
    "use_space_awareness_migration_started_at": "string",
    "use_space_awareness_migration_status": "pending",
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Response examples (404)

{
  "message": "string"
}

Generate a Logstash API key

POST /api/fleet/logstash_api_keys

Api key auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Responses

200 application/json
Hide response attribute Show response attribute object
- api_key string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/logstash_api_keys

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/logstash_api_keys' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "api_key": "string"
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Update output

PUT /api/fleet/outputs/{outputId}

Api key auth

Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

outputId string Required

application/json

Body object

allow_edit array[string]
ca_sha256 string | null
ca_trusted_fingerprint string | null
config_yaml string | null
hosts array[string(uri)]

At least 1 element.
id string
is_default boolean
is_default_monitoring boolean
is_internal boolean
is_preconfigured boolean
name string
preset string

Values are balanced, custom, throughput, scale, or latency.
proxy_id string | null
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
shipper object | null

Additional properties are NOT allowed.
Hide shipper attributes Show shipper attributes object | null
- compression_level number | null Required
- disk_queue_compression_enabled boolean | null Required
- disk_queue_enabled boolean | null
  
  Default value is false.
- disk_queue_encryption_enabled boolean | null Required
- disk_queue_max_size number | null Required
- disk_queue_path string | null Required
- loadbalance boolean | null Required
- max_batch_bytes number | null Required
- mem_queue_events number | null Required
- queue_flush_timeout number | null Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- key string
- verification_mode string
  
  Values are full, none, certificate, or strict.
type string

Value is elasticsearch.

allow_edit array[string]
ca_sha256 string | null
ca_trusted_fingerprint string | null
config_yaml string | null
hosts array[string(uri)]

At least 1 element.
id string
is_default boolean
is_default_monitoring boolean
is_internal boolean
is_preconfigured boolean
kibana_api_key string | null
kibana_url string | null
name string
preset string

Values are balanced, custom, throughput, scale, or latency.
proxy_id string | null
secrets object

Additional properties are NOT allowed.
Hide secrets attributes Show secrets attributes object
- service_token object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
service_token string | null
shipper object | null

Additional properties are NOT allowed.
Hide shipper attributes Show shipper attributes object | null
- compression_level number | null Required
- disk_queue_compression_enabled boolean | null Required
- disk_queue_enabled boolean | null
  
  Default value is false.
- disk_queue_encryption_enabled boolean | null Required
- disk_queue_max_size number | null Required
- disk_queue_path string | null Required
- loadbalance boolean | null Required
- max_batch_bytes number | null Required
- mem_queue_events number | null Required
- queue_flush_timeout number | null Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- key string
- verification_mode string
  
  Values are full, none, certificate, or strict.
sync_integrations boolean
sync_uninstalled_integrations boolean
type string

Value is remote_elasticsearch.

allow_edit array[string]
ca_sha256 string | null
ca_trusted_fingerprint string | null
config_yaml string | null
hosts array[string]

At least 1 element.
id string
is_default boolean
is_default_monitoring boolean
is_internal boolean
is_preconfigured boolean
name string
proxy_id string | null
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
shipper object | null

Additional properties are NOT allowed.
Hide shipper attributes Show shipper attributes object | null
- compression_level number | null Required
- disk_queue_compression_enabled boolean | null Required
- disk_queue_enabled boolean | null
  
  Default value is false.
- disk_queue_encryption_enabled boolean | null Required
- disk_queue_max_size number | null Required
- disk_queue_path string | null Required
- loadbalance boolean | null Required
- max_batch_bytes number | null Required
- mem_queue_events number | null Required
- queue_flush_timeout number | null Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- key string
- verification_mode string
  
  Values are full, none, certificate, or strict.
type string

Value is logstash.

allow_edit array[string]
auth_type string

Values are none, user_pass, ssl, or kerberos.
broker_timeout number
ca_sha256 string | null
ca_trusted_fingerprint string | null
client_id string
compression string

Values are gzip, snappy, lz4, or none.
compression_level array | null | boolean | number | object | string Required

Any of:
array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
config_yaml string | null
connection_type array | null | boolean | number | object | string Required

Any of:
array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
hash object

Additional properties are NOT allowed.
Hide hash attributes Show hash attributes object
- hash string
- random boolean
headers array[object]
Hide headers attributes Show headers attributes object
- key string Required
- value string Required
hosts array[string]

At least 1 element.
id string
is_default boolean

Default value is false.
is_default_monitoring boolean

Default value is false.
is_internal boolean
is_preconfigured boolean
key string
name string Required
partition string

Values are random, round_robin, or hash.
password array | null | boolean | number | object | string Required

Any of:
array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
proxy_id string | null
random object

Additional properties are NOT allowed.
Hide random attribute Show random attribute object
- group_events number
required_acks integer

Values are 1, 0, or -1.
round_robin object

Additional properties are NOT allowed.
Hide round_robin attribute Show round_robin attribute object
- group_events number
sasl object | null

Additional properties are NOT allowed.
Hide sasl attribute Show sasl attribute object | null
- mechanism string
  
  Values are PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
secrets object

Additional properties are NOT allowed.
Hide secrets attributes Show secrets attributes object
- password object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string Required
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
shipper object | null

Additional properties are NOT allowed.
Hide shipper attributes Show shipper attributes object | null
- compression_level number | null Required
- disk_queue_compression_enabled boolean | null Required
- disk_queue_enabled boolean | null
  
  Default value is false.
- disk_queue_encryption_enabled boolean | null Required
- disk_queue_max_size number | null Required
- disk_queue_path string | null Required
- loadbalance boolean | null Required
- max_batch_bytes number | null Required
- mem_queue_events number | null Required
- queue_flush_timeout number | null Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- key string
- verification_mode string
  
  Values are full, none, certificate, or strict.
timeout number
topic string
type string

Value is kafka.
username array | null | boolean | number | object | string Required

Any of:
array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
version string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Any of:
  object-1 object object-2 object object-3 object object-4 object
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  kibana_api_key string | null
  
  kibana_url string | null
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  service_token object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  service_token string | null
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  sync_integrations boolean
  
  sync_uninstalled_integrations boolean
  
  type string Required
  
  Value is remote_elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is logstash.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  auth_type string Required
  
  Values are none, user_pass, ssl, or kerberos.
  
  broker_timeout number
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  client_id string
  
  compression string
  
  Values are gzip, snappy, lz4, or none.
  
  compression_level array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  config_yaml string | null
  
  connection_type array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  hash object
  
  Additional properties are allowed.
  
  Hide hash attributes Show hash attributes object
  
  hash string
  
  random boolean
  
  headers array[object]
  
  Hide headers attributes Show headers attributes object
  
  key string Required
  
  value string Required
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  key string
  
  name string Required
  
  partition string
  
  Values are random, round_robin, or hash.
  
  password array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  proxy_id string | null
  
  random object
  
  Additional properties are allowed.
  
  Hide random attribute Show random attribute object
  
  group_events number
  
  required_acks integer
  
  Values are 1, 0, or -1.
  
  round_robin object
  
  Additional properties are allowed.
  
  Hide round_robin attribute Show round_robin attribute object
  
  group_events number
  
  sasl object | null
  
  Additional properties are allowed.
  
  Hide sasl attribute Show sasl attribute object | null
  
  mechanism string
  
  Values are PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  password object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string Required
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  timeout number
  
  topic string
  
  type string Required
  
  Value is kafka.
  
  username array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

PUT /api/fleet/outputs/{outputId}

curl \
 --request PUT 'https://<KIBANA_URL>/api/fleet/outputs/{outputId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"allow_edit":["string"],"ca_sha256":"string","ca_trusted_fingerprint":"string","config_yaml":"string","hosts":["https://example.com"],"id":"string","is_default":true,"is_default_monitoring":true,"is_internal":true,"is_preconfigured":true,"name":"string","preset":"balanced","proxy_id":"string","secrets":{"ssl":{"key":{"id":"string"}}},"shipper":{"compression_level":42.0,"disk_queue_compression_enabled":true,"disk_queue_enabled":false,"disk_queue_encryption_enabled":true,"disk_queue_max_size":42.0,"disk_queue_path":"string","loadbalance":true,"max_batch_bytes":42.0,"mem_queue_events":42.0,"queue_flush_timeout":42.0},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string","verification_mode":"full"},"type":"elasticsearch"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "elasticsearch"
}

# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "kibana_api_key": "string",
  "kibana_url": "string",
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "service_token": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "service_token": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "sync_integrations": true,
  "sync_uninstalled_integrations": true,
  "type": "remote_elasticsearch"
}

# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "logstash"
}

# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "auth_type": "none",
  "broker_timeout": 42.0,
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "client_id": "string",
  "compression": "gzip",
  "compression_level": [],
  "config_yaml": "string",
  "connection_type": [],
  "hash": {
    "hash": "string",
    "random": true
  },
  "headers": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "key": "string",
  "name": "string",
  "partition": "random",
  "password": [],
  "proxy_id": "string",
  "random": {
    "group_events": 42.0
  },
  "required_acks": 1,
  "round_robin": {
    "group_events": 42.0
  },
  "sasl": {
    "mechanism": "PLAIN"
  },
  "secrets": {
    "password": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "timeout": 42.0,
  "topic": "string",
  "type": "kafka",
  "username": [],
  "version": "string"
}

Response examples (200)

{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "key": {
          "id": "string"
        }
      }
    },
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Upgrade a package policy

POST /api/fleet/package_policies/upgrade

Api key auth

Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

packagePolicyIds array[string] Required

Responses

200 application/json
Hide response attributes Show response attributes object
- body object
  
  Additional properties are NOT allowed.
  
  Hide body attribute Show body attribute object
  
  message string Required
- id string Required
- name string
- statusCode number
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/package_policies/upgrade

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/package_policies/upgrade' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"packagePolicyIds":["string"]}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "packagePolicyIds": [
    "string"
  ]
}

Response examples (200)

[
  {
    "body": {
      "message": "string"
    },
    "id": "string",
    "name": "string",
    "statusCode": 42.0,
    "success": true
  }
]

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a Fleet Server host

POST /api/fleet/fleet_server_hosts

Api key auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

host_urls array[string] Required

At least 1 element.
id string
is_default boolean

Default value is false.
is_internal boolean
is_preconfigured boolean

Default value is false.
name string Required
proxy_id string | null
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attributes Show ssl attributes object
  
  es_key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- client_auth string
  
  Values are optional, required, or none.
- es_certificate string
- es_certificate_authorities array[string]
- es_key string
- key string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host_urls array[string] Required
  
  At least 1 element.
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  es_key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object | null
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  client_auth string
  
  Values are optional, required, or none.
  
  es_certificate string
  
  es_certificate_authorities array[string]
  
  es_key string
  
  key string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/fleet_server_hosts

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/fleet_server_hosts' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host_urls":["string"],"id":"string","is_default":false,"is_internal":true,"is_preconfigured":false,"name":"string","proxy_id":"string","secrets":{"ssl":{"es_key":{"id":"string"},"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"client_auth":"optional","es_certificate":"string","es_certificate_authorities":["string"],"es_key":"string","key":"string"}}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "host_urls": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_internal": true,
  "is_preconfigured": false,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "es_key": {
        "id": "string"
      },
      "key": {
        "id": "string"
      }
    }
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "client_auth": "optional",
    "es_certificate": "string",
    "es_certificate_authorities": [
      "string"
    ],
    "es_key": "string",
    "key": "string"
  }
}

Response examples (200)

{
  "item": {
    "host_urls": [
      "string"
    ],
    "id": "string",
    "is_default": false,
    "is_internal": true,
    "is_preconfigured": false,
    "name": "string",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "es_key": {
          "id": "string"
        },
        "key": {
          "id": "string"
        }
      }
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "client_auth": "optional",
      "es_certificate": "string",
      "es_certificate_authorities": [
        "string"
      ],
      "es_key": "string",
      "key": "string"
    }
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Sync machine learning saved objects

GET /api/ml/saved_objects/sync

Api key auth

Synchronizes Kibana saved objects for machine learning jobs and trained models. This API runs automatically when you start Kibana and periodically thereafter.

Query parameters

simulate boolean

When true, simulates the synchronization by returning only the list of actions that would be performed.

Responses

200 application/json

Indicates a successful call
Hide response attributes Show response attributes object
- datafeedsAdded object
  
  If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.
  
  Hide datafeedsAdded attribute Show datafeedsAdded attribute object
  
  * object Additional properties
  
  The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.
  
  Hide * attribute Show * attribute object
  
  success boolean
  
  The success or failure of the synchronization.
- datafeedsRemoved object
  
  If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.
  
  Hide datafeedsRemoved attribute Show datafeedsRemoved attribute object
  
  * object Additional properties
  
  The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.
  
  Hide * attribute Show * attribute object
  
  success boolean
  
  The success or failure of the synchronization.
- savedObjectsCreated object
  
  If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.
  
  Hide savedObjectsCreated attributes Show savedObjectsCreated attributes object
  
  anomaly-detector object
  
  If saved objects are missing for anomaly detection jobs, they are created.
  
  Hide anomaly-detector attribute Show anomaly-detector attribute object
  
  * object Additional properties
  
  The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.
  
  Hide * attribute Show * attribute object
  
  success boolean
  
  The success or failure of the synchronization.
  
  data-frame-analytics object
  
  If saved objects are missing for data frame analytics jobs, they are created.
  
  Hide data-frame-analytics attribute Show data-frame-analytics attribute object
  
  * object Additional properties
  
  The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.
  
  Hide * attribute Show * attribute object
  
  success boolean
  
  The success or failure of the synchronization.
  
  trained-model object
  
  If saved objects are missing for trained models, they are created.
  
  Hide trained-model attribute Show trained-model attribute object
  
  * object Additional properties
  
  The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.
  
  Hide * attribute Show * attribute object
  
  success boolean
  
  The success or failure of the synchronization.
- savedObjectsDeleted object
  
  If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.
  
  Hide savedObjectsDeleted attributes Show savedObjectsDeleted attributes object
  
  anomaly-detector object
  
  If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.
  
  Hide anomaly-detector attribute Show anomaly-detector attribute object
  
  * object Additional properties
  
  The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.
  
  Hide * attribute Show * attribute object
  
  success boolean
  
  The success or failure of the synchronization.
  
  data-frame-analytics object
  
  If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.
  
  Hide data-frame-analytics attribute Show data-frame-analytics attribute object
  
  * object Additional properties
  
  The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.
  
  Hide * attribute Show * attribute object
  
  success boolean
  
  The success or failure of the synchronization.
  
  trained-model object
  
  If there are saved objects exist for nonexistent trained models, they are deleted.
  
  Hide trained-model attribute Show trained-model attribute object
  
  * object Additional properties
  
  The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.
  
  Hide * attribute Show * attribute object
  
  success boolean
  
  The success or failure of the synchronization.
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/ml/saved_objects/sync

curl \
 --request GET 'https://<KIBANA_URL>/api/ml/saved_objects/sync' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "datafeedsAdded": {},
  "datafeedsRemoved": {},
  "savedObjectsCreated": {
    "anomaly-detector": {
      "myjob1": {
        "success": true
      },
      "myjob2": {
        "success": true
      }
    }
  },
  "savedObjectsDeleted": {}
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Delete a role

DELETE /api/security/role/{name}

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required

Minimum length is 1.

Responses

204

Indicates a successful call.

DELETE /api/security/role/{name}

curl \
 --request DELETE 'https://<KIBANA_URL>/api/security/role/{name}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Update a Knowledge Base Entry

PUT /api/security_ai_assistant/knowledge_base/entries/{id}

Api key auth

Update a Knowledge Base Entry

Path parameters

id string(nonempty) Required

The Knowledge Base Entry's id value

Minimum length is 1.

application/json

Body object Required

global boolean

Whether this Knowledge Base Entry is global, defaults to false
name string Required

Name of the Knowledge Base Entry
namespace string

Kibana Space, defaults to 'default' space
users array[object]

Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

Could be any string, not necessarily a UUID
Hide users attributes Show users attributes object
- id string
  
  User id
- name string
  
  User name
kbResource string Required

Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

Values are security_labs or user.
source string Required

Source document name or filepath
text string Required

Knowledge Base Entry content
type string Required Discriminator

Entry type

Value is document.
required boolean

Whether this resource should always be included, defaults to false
vector object

Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings
Hide vector attributes Show vector attributes object
- modelId string Required
  
  ID of the model used to create the embeddings
- tokens object Required
  
  Tokens with their corresponding values
  Hide tokens attribute Show tokens attribute object
  
  * number Additional properties

global boolean

Whether this Knowledge Base Entry is global, defaults to false
name string Required

Name of the Knowledge Base Entry
namespace string

Kibana Space, defaults to 'default' space
users array[object]

Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

Could be any string, not necessarily a UUID
Hide users attributes Show users attributes object
- id string
  
  User id
- name string
  
  User name
description string Required

Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description
field string Required

Field to query for Knowledge Base content
index string Required

Index or Data Stream to query for Knowledge Base content
queryDescription string Required

Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema
type string Required Discriminator

Entry type

Value is index.
inputSchema array[object]

Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval
Hide inputSchema attributes Show inputSchema attributes object
- description string Required
  
  Description of the field
- fieldName string Required
  
  Name of the field
- fieldType string Required
  
  Type of the field
outputFields array[string]

Fields to extract from the query result, defaults to all fields if not provided or empty

Responses

200 application/json

Successful request returning the updated Knowledge Base Entry
Any of:
Security_AI_Assistant_API_DocumentEntryResponseFields object Security_AI_Assistant_API_IndexEntryResponseFields object
Hide attributes Show attributes

global boolean Required

Whether this Knowledge Base Entry is global, defaults to false

name string Required

Name of the Knowledge Base Entry

namespace string Required

Kibana Space, defaults to 'default' space

users array[object] Required

Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

Could be any string, not necessarily a UUID

Hide users attributes Show users attributes object

id string

User id

name string

User name

createdAt string Required

Time the Knowledge Base Entry was created

createdBy string Required

User who created the Knowledge Base Entry

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

updatedAt string Required

Time the Knowledge Base Entry was last updated

updatedBy string Required

User who last updated the Knowledge Base Entry

kbResource string Required

Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

Values are security_labs or user.

source string Required

Source document name or filepath

text string Required

Knowledge Base Entry content

type string Required Discriminator

Entry type

Value is document.

required boolean

Whether this resource should always be included, defaults to false

vector object

Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

Hide vector attributes Show vector attributes object

modelId string Required

ID of the model used to create the embeddings

tokens object Required

Tokens with their corresponding values

Hide tokens attribute Show tokens attribute object

* number Additional properties
Hide attributes Show attributes

global boolean Required

Whether this Knowledge Base Entry is global, defaults to false

name string Required

Name of the Knowledge Base Entry

namespace string Required

Kibana Space, defaults to 'default' space

users array[object] Required

Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

Could be any string, not necessarily a UUID

Hide users attributes Show users attributes object

id string

User id

name string

User name

createdAt string Required

Time the Knowledge Base Entry was created

createdBy string Required

User who created the Knowledge Base Entry

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

updatedAt string Required

Time the Knowledge Base Entry was last updated

updatedBy string Required

User who last updated the Knowledge Base Entry

description string Required

Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description

field string Required

Field to query for Knowledge Base content

index string Required

Index or Data Stream to query for Knowledge Base content

queryDescription string Required

Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema

type string Required Discriminator

Entry type

Value is index.

inputSchema array[object]

Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval

Hide inputSchema attributes Show inputSchema attributes object

description string Required

Description of the field

fieldName string Required

Name of the field

fieldType string Required

Type of the field

outputFields array[string]

Fields to extract from the query result, defaults to all fields if not provided or empty
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

PUT /api/security_ai_assistant/knowledge_base/entries/{id}

curl \
 --request PUT 'https://<KIBANA_URL>/api/security_ai_assistant/knowledge_base/entries/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"global":true,"name":"string","namespace":"string","users":[{"id":"string","name":"string"}],"kbResource":"security_labs","source":"string","text":"string","type":"document","required":true,"vector":{"modelId":"string","tokens":{"additionalProperty1":42.0,"additionalProperty2":42.0}}}'

Request examples

{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}

{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}

Response examples (200)

{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}

{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Add and remove detection alert tags

POST /api/detection_engine/signals/tags

Api key auth

And tags to detection alerts, and remove them from alerts.

You cannot add and remove the same alert tag in the same request.

application/json

Body Required

An object containing tags to add or remove and alert ids the changes will be applied

ids array[string(nonempty)] Required

A list of alerts ids.

At least 1 element. Minimum length of each is 1.
tags object Required

Object with list of tags to add and remove.
Hide tags attributes Show tags attributes object
- tags_to_add array[string(nonempty)] Required
  
  List of keywords to organize related alerts into categories that you can filter and group.
  
  Minimum length of each is 1.
- tags_to_remove array[string(nonempty)] Required
  
  List of keywords to organize related alerts into categories that you can filter and group.
  
  Minimum length of each is 1.

Responses

200 application/json

Successful response

Elasticsearch update by query response

Additional properties are allowed.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/tags

curl \
 --request POST 'https://<KIBANA_URL>/api/detection_engine/signals/tags' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"ids":["549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"],"tags":{"tags_to_add":["Duplicate"],"tags_to_remove":[]}}'

Request examples

{
  "ids": [
    "549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"
  ],
  "tags": {
    "tags_to_add": [
      "Duplicate"
    ],
    "tags_to_remove": []
  }
}

{
  "ids": [
    "549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"
  ],
  "tags": {
    "tags_to_add": [],
    "tags_to_remove": [
      "Duplicate"
    ]
  }
}

Response examples (200)

{
  "took": "68,",
  "noops": "0,",
  "total": "1,",
  "batches": "1,",
  "deleted": "0,",
  "retries": {
    "bulk": "0,",
    "search": 0
  },
  "updated": "1,",
  "failures": [],
  "timed_out": "false,",
  "throttled_millis": "0,",
  "version_conflicts": "0,",
  "requests_per_second": "-1,",
  "throttled_until_millis": "0,"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Create an endpoint exception list

POST /api/endpoint_list

Api key auth

Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.

Responses

200 application/json

Successful response
One of:
Security_Endpoint_Exceptions_API_ExceptionList object object-2 object
Hide attributes Show attributes

_version string

The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

created_at string(date-time) Required

Autogenerated date of object creation.

created_by string Required

Autogenerated value - user that created object.

description string Required

Describes the exception list.

id string(nonempty) Required

Exception list's identifier.

Minimum length is 1.

immutable boolean Required

list_id string(nonempty) Required

Exception list's human readable string identifier, e.g. trusted-linux-processes.

Minimum length is 1.

meta object

Placeholder for metadata about the list container.

Additional properties are allowed.

name string Required

The name of the exception list.

namespace_type string Required

Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

single: Only available in the Kibana space in which it is created.

agnostic: Available in all Kibana spaces.

Values are agnostic or single.

os_types array[string]

Use this field to specify the operating system. Only enter one value.

Values are linux, macos, or windows.

tags array[string]

String array containing words and phrases to help categorize exception containers.

tie_breaker_id string Required

Field used in search to ensure all containers are sorted and returned correctly.

type string Required

The type of exception list to be created. Different list types may denote where they can be utilized.

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

updated_at string(date-time) Required

Autogenerated date of last object update.

updated_by string Required

Autogenerated value - user that last updated object.

version integer Required

The document version, automatically increasd on updates.

Minimum value is 1.
Additional properties are NOT allowed.
400 application/json

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/endpoint_list

curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint_list' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "_version": "string",
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "description": "This list tracks allowlisted values.",
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "immutable": true,
  "list_id": "simple_list",
  "meta": {},
  "name": "My exception list",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "version": 42
}

{}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Get a file

POST /api/endpoint/action/get_file

Api key auth

Get a file from an endpoint.

application/json

Body Required

agent_type string

List of agent types to retrieve. Defaults to endpoint.

Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.
alert_ids array[string(nonempty)]

A list of alerts ids.

At least 1 element. Minimum length of each is 1.
case_ids array[string]

Case IDs to be updated (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
comment string

Optional comment
endpoint_ids array[string] Required

List of endpoint IDs (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
parameters object Required

Optional parameters object
Hide parameters attribute Show parameters attribute object
- path string Required

Responses

200 application/json

OK

POST /api/endpoint/action/get_file

curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/get_file' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Get my file","parameters":{"path":"/usr/my-file.txt"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'

Request example

{
  "comment": "Get my file",
  "parameters": {
    "path": "/usr/my-file.txt"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}

Response examples (200)

{
  "data": {
    "id": "27ba1b42-7cc6-4e53-86ce-675c876092b2",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "get-file",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2023-07-28T19:00:03.911Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "path": "/usr/my-file.txt"
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Upload a file

POST /api/endpoint/action/upload

Api key auth

Upload a file to an endpoint.

multipart/form-data

Body Required

agent_type string

List of agent types to retrieve. Defaults to endpoint.

Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.
alert_ids array[string(nonempty)]

A list of alerts ids.

At least 1 element. Minimum length of each is 1.
case_ids array[string]

Case IDs to be updated (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
comment string

Optional comment
endpoint_ids array[string] Required

List of endpoint IDs (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
parameters object Required

Optional parameters object
Hide parameters attribute Show parameters attribute object
- overwrite boolean
  
  Overwrite the file on the host if it already exists.
  
  Default value is false.
file string(binary) Required

The binary content of the file.

Responses

200 application/json

OK

POST /api/endpoint/action/upload

curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/upload' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --form "file=RWxhc3RpYw==" \
 --form 'parameters={}' \
 --form "endpoint_ids[]=ed518850-681a-4d60-bb98-e22640cae2a8"

Request example

{"file"=>"RWxhc3RpYw==", "parameters"=>{}, "endpoint_ids"=>["ed518850-681a-4d60-bb98-e22640cae2a8"]}

Response examples (200)

{
  "data": {
    "id": "9ff6aebc-2cb6-481e-8869-9b30036c9731",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "Host-5i6cuc8kdv"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "upload",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "elastic",
    "isExpired": false,
    "startedAt": "2023-07-03T15:07:22.837Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "file_id": "10e4ce3d-4abb-4f93-a0cd-eaf63a489280",
      "file_name": "fix-malware.sh",
      "file_size": 69,
      "file_sha256": "a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a"
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Update an exception list item

PUT /api/exception_lists/items

Api key auth

Update an exception list item using the id or item_id field.

application/json

Body Required

Exception list item's properties

_version string

The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
comments array[object]

Default value is [] (empty).
Hide comments attributes Show comments attributes object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- id string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
entries array[object] Required
Any of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list object Required

Hide list attributes Show list attributes object

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is list.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is exists.
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required Discriminator

Value is nested.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is wildcard.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
id string(nonempty)

Exception's identifier.

Minimum length is 1.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
list_id string(nonempty)

Exception list's human readable string identifier, e.g. trusted-linux-processes.

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
Values are agnostic or single. Default value is single.
os_types array[string]

Use this field to specify the operating system.

Values are linux, macos, or windows. Default value is [] (empty).
tags array[string(nonempty)]

String array containing words and phrases to help categorize exception items.

Minimum length of each is 1. Default value is [] (empty).
type string Required

Value is simple.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1. Default value is [] (empty).
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

Exception list item not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

PUT /api/exception_lists/items

curl \
 --request PUT 'https://<KIBANA_URL>/api/exception_lists/items' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"Updated name","tags":[],"type":"simple","entries":[{"type":"match","field":"host.name","value":"rock01","operator":"included"}],"item_id":"simple_list_item","comments":[],"description":"Updated description","namespace_type":"single"}'

Request example

{
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "comments": [],
  "description": "Updated description",
  "namespace_type": "single"
}

Response examples (200)

{
  "id": "459c5e7e-f8b2-4f0b-b136-c1fc702f72da",
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzEyLDFd",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-07T21:12:25.512Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T21:34:50.233Z",
  "updated_by": "elastic",
  "description": "Updated description",
  "namespace_type": "single",
  "tie_breaker_id": "ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body]: item_id: Expected string, received number",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "exception list item item_id: \\\"foo\\\" does not exist",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Create an exception list item

POST /api/exception_lists/items

Api key auth

Create an exception item and associate it with the specified exception list.

Before creating exception items, you must create an exception list.

application/json

Body Required

Exception list item's properties

comments array[object]

Default value is [] (empty).
Hide comments attribute Show comments attribute object
- comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
description string Required

Describes the exception list.
entries array[object] Required
Any of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list object Required

Hide list attributes Show list attributes object

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

type string Required

Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

keyword: Many ECS fields are Elasticsearch keywords

ip: IP addresses

ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is list.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is exists.
Hide attributes Show attributes

entries array[object] Required

At least 1 element.

One of:
Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is match_any.

value array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required

Value is exists.

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required Discriminator

Value is nested.
Hide attributes Show attributes

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

operator string Required

Values are excluded or included.

type string Required Discriminator

Value is wildcard.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
expire_time string(date-time)

The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
item_id string(nonempty)

Human readable string identifier, e.g. trusted-linux-processes

Minimum length is 1.
list_id string(nonempty) Required

Exception list's human readable string identifier, e.g. trusted-linux-processes.

Minimum length is 1.
meta object

Additional properties are allowed.
name string(nonempty) Required

Exception list name.

Minimum length is 1.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
Values are agnostic or single. Default value is single.
os_types array[string]

Use this field to specify the operating system.

Values are linux, macos, or windows. Default value is [] (empty).
tags array[string(nonempty)]

String array containing words and phrases to help categorize exception items.

Minimum length of each is 1. Default value is [] (empty).
type string Required

Value is simple.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1. Default value is [] (empty).
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
409 application/json

Exception list item already exists response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/exception_lists/items

curl \
 --request POST 'https://<KIBANA_URL>/api/exception_lists/items' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"Sample Exception List Item","tags":["malware"],"type":"simple","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["saturn","jupiter"],"operator":"included"}],"item_id":"simple_list_item","list_id":"simple_list","os_types":["linux"],"description":"This is a sample detection type exception item.","namespace_type":"single"}'

Request example

{
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    },
    {
      "type": "match_any",
      "field": "host.name",
      "value": [
        "saturn",
        "jupiter"
      ],
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "os_types": [
    "linux"
  ],
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single"
}

Response examples (200)

{
  "id": "323faa75-c657-4fa0-9084-8827612c207b",
  "name": "Sample Autogenerated Exception List Item ID",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    }
  ],
  "item_id": "80e6edf7-4b13-4414-858f-2fa74aa52b37",
  "list_id": "8c1aae4c-1ef5-4bce-a2e3-16584b501783",
  "_version": "WzYsMV0=",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-09T01:16:23.322Z",
  "created_by": "elastic",
  "updated_at": "2025-01-09T01:16:23.322Z",
  "updated_by": "elastic",
  "description": "This is a sample exception that has no item_id so it is autogenerated.",
  "namespace_type": "single",
  "tie_breaker_id": "d6799986-3a23-4213-bc6d-ed9463a32f23"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "match_any",
      "field": "host.name",
      "value": [
        "saturn",
        "jupiter"
      ],
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "actingProcess.file.signer",
      "value": "Elastic N.V.",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "nested",
      "field": "file.signature",
      "entries": [
        {
          "type": "match",
          "field": "signer",
          "value": "Evil",
          "operator": "included"
        },
        {
          "type": "match",
          "field": "trusted",
          "value": true,
          "operator": "included"
        }
      ]
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}

{
  "id": "deb26876-297d-4677-8a1f-35467d2f1c4f",
  "name": "Filter out good guys ip and agent.name rock01",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "list": {
        "id": "goodguys.txt",
        "type": "ip"
      },
      "type": "list",
      "field": "source.ip",
      "operator": "excluded"
    }
  ],
  "item_id": "686b129e-9b8d-4c59-8d8d-c93a9ea82c71",
  "list_id": "8c1aae4c-1ef5-4bce-a2e3-16584b501783",
  "_version": "WzcsMV0=",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-09T01:31:12.614Z",
  "created_by": "elastic",
  "updated_at": "2025-01-09T01:31:12.614Z",
  "updated_by": "elastic",
  "description": "Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list",
  "namespace_type": "single",
  "tie_breaker_id": "5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8"
}

Response examples (400)

{
  "error": "Bad Request,",
  "message": "[request body]: list_id: Expected string, received number",
  "statusCode": "400,"
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (409)

{
  "message": "exception list item id: \\\"simple_list_item\\\" already exists",
  "status_code": 409
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Patch a value list

PATCH /api/lists

Api key auth

Update specific fields of an existing list using the list id.

application/json

Body Required

Value list's properties

_version string

The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
description string(nonempty)

Describes the value list.

Minimum length is 1.
id string(nonempty) Required

Value list's identifier.

Minimum length is 1.
meta object

Placeholder for metadata about the value list.

Additional properties are allowed.
name string(nonempty)

Value list's name.

Minimum length is 1.
version integer

The document version number.

Minimum value is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
- @timestamp string(date-time)
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string(nonempty) Required
  
  Describes the value list.
  
  Minimum length is 1.
- deserializer string
  
  Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
  
  {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  
  {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  
  {{{gte}}},{{{lte}}} - Date range values.
- id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
- immutable boolean Required
- meta object
  
  Placeholder for metadata about the value list.
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Value list's name.
  
  Minimum length is 1.
- serializer string
  
  Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
  
  (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  
  (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
- version integer Required
  
  The document version number.
  
  Minimum value is 1.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

PATCH /api/lists

curl \
 --request PATCH 'https://<KIBANA_URL>/api/lists' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id":"ip_list","name":"Bad ips list - UPDATED"}'

Request example

{
  "id": "ip_list",
  "name": "Bad ips list - UPDATED"
}

Response examples (200)

{
  "id": "ip_list",
  "name": "Bad ips list - UPDATED",
  "type": "ip",
  "version": 2,
  "_version": "WzEsMV0=",
  "immutable": false,
  "@timestamp": "2025-01-08T04:47:34.273Z",
  "created_at": "2025-01-08T04:47:34.273Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:21:53.843Z",
  "updated_by": "elastic",
  "description": "This list describes bad internet ips",
  "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body]: name: Expected string, received number",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "list id: \\\"foo\\\" not found",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Get value lists

GET /api/lists/_find

Api key auth

Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page.

Query parameters

page integer

The page number to return.
per_page integer

The number of value lists to return per page.
sort_field string(nonempty)

Determines which field is used to sort the results.

Minimum length is 1.
sort_order string

Determines the sort order, which can be desc or asc

Values are desc or asc.
cursor string(nonempty)

Returns the lists that come after the last lists returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all lists are sorted and returned correctly.

Minimum length is 1.
filter string

Filters the returned results according to the value of the specified field, using the : syntax.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- cursor string(nonempty) Required
  
  Minimum length is 1.
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  _version string
  
  The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
  
  @timestamp string(date-time)
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string Required
  
  Autogenerated value - user that created object.
  
  description string(nonempty) Required
  
  Describes the value list.
  
  Minimum length is 1.
  
  deserializer string
  
  Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
  
  {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  
  {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  
  {{{gte}}},{{{lte}}} - Date range values.
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  immutable boolean Required
  
  meta object
  
  Placeholder for metadata about the value list.
  
  Additional properties are allowed.
  
  name string(nonempty) Required
  
  Value list's name.
  
  Minimum length is 1.
  
  serializer string
  
  Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
  
  (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  
  (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
  
  tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  updated_at string(date-time) Required
  
  Autogenerated date of last object update.
  
  updated_by string Required
  
  Autogenerated value - user that last updated object.
  
  version integer Required
  
  The document version number.
  
  Minimum value is 1.
- page integer Required
  
  Minimum value is 0.
- per_page integer Required
  
  Minimum value is 0.
- total integer Required
  
  Minimum value is 0.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/lists/_find

curl \
 --request GET 'https://<KIBANA_URL>/api/lists/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data": [
    {
      "id": "ip_list",
      "name": "Simple list with an ip",
      "type": "ip",
      "version": 1,
      "_version": "WzAsMV0=",
      "immutable": false,
      "@timestamp": "2025-01-08T04:47:34.273Z\n",
      "created_at": "2025-01-08T04:47:34.273Z\n",
      "created_by": "elastic",
      "updated_at": "2025-01-08T04:47:34.273Z\n",
      "updated_by": "elastic",
      "description": "This list describes bad internet ip",
      "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
    }
  ],
  "page": 1,
  "total": 1,
  "cursor": "WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d",
  "per_page": 20
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request query]: page: Expected number, received nan",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

params object

Body Required

forId string | array[string]

agents array[string] | string Required

value string | number Required

package_policies array[string] | array[object]

Body object

key object | string

key object | string

key object | string

key object | string Required

item object Required

key object | string

key object | string

key object | string

key object | string Required

es_key object | string

key object | string

es_key object | string

key object | string

Body object Required

Body Required

Body Required

Body Required

Body Required

Body Required

Body Required

Security Osquery Dismiss highlight