Get rule details Beta

GET /api/alerting/rule/{id}

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • Additional properties are allowed.

    • Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • Total number of alerts created during last rule run.

            • Total number of alerts detected during last rule run.

            • Total time spent indexing documents during last rule run in milliseconds.

            • Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • Relative URL to view rule in the app.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id}
curl \
 --request GET https://<KIBANA_URL>/api/alerting/rule/{id}
Response examples (200)
{
  "actions": [
    {
      "alerts_filter": {
        "query": {
          "dsl": "string",
          "filters": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {},
              "query": {}
            }
          ],
          "kql": "string"
        },
        "timeframe": {
          "days": [
            1
          ],
          "hours": {
            "end": "string",
            "start": "string"
          },
          "timezone": "string"
        }
      },
      "connector_type_id": "string",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": true,
        "throttle": "string"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "use_alert_data_for_template": true,
      "uuid": "string"
    }
  ],
  "active_snoozes": [
    "string"
  ],
  "alert_delay": {
    "active": 42.0
  },
  "api_key_created_by_user": true,
  "api_key_owner": "string",
  "consumer": "string",
  "created_at": "string",
  "created_by": "string",
  "enabled": true,
  "execution_status": {
    "error": {
      "message": "string",
      "reason": "read"
    },
    "last_duration": 42.0,
    "last_execution_date": "string",
    "status": "ok",
    "warning": {
      "message": "string",
      "reason": "maxExecutableActions"
    }
  },
  "flapping": {
    "look_back_window": 42.0,
    "status_change_threshold": 42.0
  },
  "id": "string",
  "is_snoozed_until": "string",
  "last_run": {
    "alerts_count": {
      "active": 42.0,
      "ignored": 42.0,
      "new": 42.0,
      "recovered": 42.0
    },
    "outcome": "succeeded",
    "outcome_msg": [
      "string"
    ],
    "outcome_order": 42.0,
    "warning": "read"
  },
  "mapped_params": {},
  "monitoring": {
    "run": {
      "calculated_metrics": {
        "p50": 42.0,
        "p95": 42.0,
        "p99": 42.0,
        "success_ratio": 42.0
      },
      "history": [
        {
          "duration": 42.0,
          "outcome": "succeeded",
          "success": true,
          "timestamp": 42.0
        }
      ],
      "last_run": {
        "metrics": {
          "duration": 42.0,
          "gap_duration_s": 42.0,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_alerts_created": 42.0,
          "total_alerts_detected": 42.0,
          "total_indexing_duration_ms": 42.0,
          "total_search_duration_ms": 42.0
        },
        "timestamp": "string"
      }
    }
  },
  "mute_all": true,
  "muted_alert_ids": [
    "string"
  ],
  "name": "string",
  "next_run": "string",
  "notify_when": "onActionGroupChange",
  "params": {},
  "revision": 42.0,
  "rule_type_id": "string",
  "running": true,
  "schedule": {
    "interval": "string"
  },
  "scheduled_task_id": "string",
  "snooze_schedule": [
    {
      "duration": 42.0,
      "id": "string",
      "rRule": {
        "byhour": [
          42.0
        ],
        "byminute": [
          42.0
        ],
        "bymonth": [
          42.0
        ],
        "bymonthday": [
          42.0
        ],
        "bysecond": [
          42.0
        ],
        "bysetpos": [
          42.0
        ],
        "byweekday": [
          "string"
        ],
        "byweekno": [
          42.0
        ],
        "byyearday": [
          42.0
        ],
        "count": 42.0,
        "dtstart": "string",
        "freq": 0,
        "interval": 42.0,
        "tzid": "string",
        "until": "string",
        "wkst": "MO"
      },
      "skipRecurrences": [
        "string"
      ]
    }
  ],
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updated_at": "string",
  "updated_by": "string",
  "view_in_app_relative_url": "string"
}








Delete a rule Beta

DELETE /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id}
curl \
 --request DELETE https://<KIBANA_URL>/api/alerting/rule/{id} \
 --header "kbn-xsrf: true"
























Unmute an alert Beta

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
curl \
 --request POST https://<KIBANA_URL>/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute \
 --header "kbn-xsrf: true"





Get a list of agent configurations Beta

GET /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • configurations array[object]

      Agent configuration

      Hide configurations attributes Show configurations attributes object
      • @timestamp number Required

        Timestamp

      • Agent name

      • Applied by agent

      • etag string Required

        Etag

      • service object Required

        Service

        Additional properties are allowed.

        Hide service attributes Show service attributes object
      • settings object Required

        Agent configuration settings

        Hide settings attribute Show settings attribute object
        • * string Additional properties
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration
curl \
 --request GET https://<KIBANA_URL>/api/apm/settings/agent-configuration \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "configurations": [
    {
      "@timestamp": 1730194190636,
      "agent_name": "string",
      "applied_by_agent": true,
      "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
      "service": {
        "environment": "prod",
        "name": "node"
      },
      "settings": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      }
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Create or update agent configuration Beta

PUT /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • overwrite boolean

    If the config exists ?overwrite=true is required

application/json

Body Required

  • Agent name

  • service object Required

    Service

    Additional properties are allowed.

    Hide service attributes Show service attributes object
  • settings object Required

    Agent configuration settings

    Hide settings attribute Show settings attribute object
    • * string Additional properties

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
PUT /api/apm/settings/agent-configuration
curl \
 --request PUT https://<KIBANA_URL>/api/apm/settings/agent-configuration \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "agent_name": "string",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Delete agent configuration Beta

DELETE /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
DELETE /api/apm/settings/agent-configuration
curl \
 --request DELETE https://<KIBANA_URL>/api/apm/settings/agent-configuration \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"environment":"prod","name":"node"}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "environment": "prod",
  "name": "node"
}
Response examples (200)
{
  "result": "string"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get agent name for service Beta

GET /api/apm/settings/agent-configuration/agent_name

Retrieve agentName for a service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/agent_name
curl \
 --request GET https://<KIBANA_URL>/api/apm/settings/agent-configuration/agent_name?serviceName=node \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "agentName": "nodejs"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}


























APM server schema

Create APM fleet server schema.





APM sourcemaps

Configure APM source maps.





Upload source map Beta

POST /api/apm/sourcemaps

Upload a source map for a specific service and version.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

multipart/form-data

Body Required

Responses

POST /api/apm/sourcemaps
curl \
 --request POST https://<KIBANA_URL>/api/apm/sourcemaps \
 --header "Content-Type: multipart/form-data" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --form "bundle_filepath=string" \
 --form "service_name=string" \
 --form "service_version=string" \
 --form "sourcemap=@file"
Response examples (200)
{
  "body": "string",
  "compressionAlgorithm": "string",
  "created": "string",
  "decodedSha256": "string",
  "decodedSize": 42.0,
  "encodedSha256": "string",
  "encodedSize": 42.0,
  "encryptionAlgorithm": "string",
  "id": "string",
  "identifier": "string",
  "packageName": "string",
  "relative_url": "string",
  "type": "string"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}




Connectors

Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.





Get connector information Beta

GET /api/actions/connector/{id}

Path parameters

  • id string Required

    An identifier for the connector.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.

GET /api/actions/connector/{id}
curl \
 --request GET https://<KIBANA_URL>/api/actions/connector/{id}
Response examples (200)
{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}










































Get data streams Beta

GET /api/fleet/data_streams

[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].

Responses

GET /api/fleet/data_streams
curl \
 --request GET https://<KIBANA_URL>/api/fleet/data_streams
Response examples (200)
{
  "data_streams": [
    {
      "dashboards": [
        {
          "id": "string",
          "title": "string"
        }
      ],
      "dataset": "string",
      "index": "string",
      "last_activity_ms": 42.0,
      "namespace": "string",
      "package": "string",
      "package_version": "string",
      "serviceDetails": {
        "environment": "string",
        "serviceName": "string"
      },
      "size_in_bytes": 42.0,
      "size_in_bytes_formatted": 42.0,
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get data streams Beta

GET /api/fleet/epm/data_streams

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Query parameters

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attribute Show items attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/epm/data_streams
curl \
 --request GET https://<KIBANA_URL>/api/fleet/epm/data_streams
Response examples (200)
{
  "items": [
    {
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}














































































Upgrade an agent Beta

POST /api/fleet/agents/{agentId}/upgrade

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

Responses

  • 200 application/json

    Additional properties are NOT allowed.

  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agents/{agentId}/upgrade
curl \
 --request POST https://<KIBANA_URL>/api/fleet/agents/{agentId}/upgrade \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"skipRateLimitCheck":true,"source_uri":"string","version":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "skipRateLimitCheck": true,
  "source_uri": "string",
  "version": "string"
}
Response examples (200)
{}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Bulk request diagnostics from agents Beta

POST /api/fleet/agents/bulk_request_diagnostics

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/agents/bulk_request_diagnostics
curl \
 --request POST https://<KIBANA_URL>/api/fleet/agents/bulk_request_diagnostics \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"additional_metrics":["CPU"],"agents":["string"],"batchSize":42.0}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "additional_metrics": [
    "CPU"
  ],
  "agents": [
    "string"
  ],
  "batchSize": 42.0
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}








Bulk upgrade agents Beta

POST /api/fleet/agents/bulk_upgrade

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/agents/bulk_upgrade
curl \
 --request POST https://<KIBANA_URL>/api/fleet/agents/bulk_upgrade \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"force":true,"includeInactive":false,"rollout_duration_seconds":42.0,"skipRateLimitCheck":true,"source_uri":"string","start_time":"string","version":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "force": true,
  "includeInactive": false,
  "rollout_duration_seconds": 42.0,
  "skipRateLimitCheck": true,
  "source_uri": "string",
  "start_time": "string",
  "version": "string"
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}













Update an agent binary download source Beta

PUT /api/fleet/agent_download_sources/{sourceId}

Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • host string(uri) Required
  • id string
  • is_default boolean

    Default value is false.

  • name string Required
  • proxy_id string | null

    The ID of the proxy to use for this download source. See the proxies API for more information.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • host string(uri) Required
      • id string Required
      • is_default boolean

        Default value is false.

      • name string Required
      • proxy_id string | null

        The ID of the proxy to use for this download source. See the proxies API for more information.

  • 400 application/json
    Hide response attributes Show response attributes object
PUT /api/fleet/agent_download_sources/{sourceId}
curl \
 --request PUT https://<KIBANA_URL>/api/fleet/agent_download_sources/{sourceId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "host": "https://example.com",
  "id": "string",
  "is_default": false,
  "name": "string",
  "proxy_id": "string"
}
Response examples (200)
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












































Get outputs for agent policies Beta

POST /api/fleet/agent_policies/outputs

Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • ids array[string] Required

    list of package policy ids

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • data object Required

        Additional properties are NOT allowed.

        Hide data attributes Show data attributes object
      • monitoring object Required

        Additional properties are NOT allowed.

        Hide monitoring attribute Show monitoring attribute object
        • output object Required

          Additional properties are NOT allowed.

          Hide output attributes Show output attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_policies/outputs
curl \
 --request POST https://<KIBANA_URL>/api/fleet/agent_policies/outputs \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"ids":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "ids": [
    "string"
  ]
}
Response examples (200)
{
  "items": [
    {
      "agentPolicyId": "string",
      "data": {
        "integrations": [
          {
            "id": "string",
            "integrationPolicyName": "string",
            "name": "string",
            "pkgName": "string"
          }
        ],
        "output": {
          "id": "string",
          "name": "string"
        }
      },
      "monitoring": {
        "output": {
          "id": "string",
          "name": "string"
        }
      }
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}














Get incoming agent data Beta

GET /api/fleet/agent_status/data

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • dataPreview array Required
    • items array[object] Required
      Hide items attribute Show items attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attribute Show * attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agent_status/data
curl \
 --request GET https://<KIBANA_URL>/api/fleet/agent_status/data?agentsIds=string
Response examples (200)
{
  "dataPreview": [],
  "items": [
    {
      "additionalProperty1": {
        "data": true
      },
      "additionalProperty2": {
        "data": true
      }
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




























Delete an uploaded file Beta

DELETE /api/fleet/agents/files/{fileId}

Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/agents/files/{fileId}
curl \
 --request DELETE https://<KIBANA_URL>/api/fleet/agents/files/{fileId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "deleted": true,
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

















































Install a package from the registry Beta

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

application/json

Body

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • _meta object Required

      Additional properties are NOT allowed.

      Hide _meta attribute Show _meta attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
 --request POST https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":false,"ignore_constraints":false}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": false,
  "ignore_constraints": false
}
Response examples (200)
{
  "_meta": {
    "install_source": "string"
  },
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a package Beta

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
 --request DELETE https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}








Get package stats Beta

GET /api/fleet/epm/packages/{pkgName}/stats

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • response object Required

      Additional properties are NOT allowed.

      Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/epm/packages/{pkgName}/stats
curl \
 --request GET https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/stats
Response examples (200)
{
  "response": {
    "agent_policy_count": 42.0
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}


































Check permissions Beta

GET /api/fleet/check-permissions

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • error string

      Values are MISSING_SECURITY, MISSING_PRIVILEGES, or MISSING_FLEET_SERVER_SETUP_PRIVILEGES.

    • success boolean Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/check-permissions
curl \
 --request GET https://<KIBANA_URL>/api/fleet/check-permissions
Response examples (200)
{
  "error": "MISSING_SECURITY",
  "success": true
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Initiate Fleet setup Beta

POST /api/fleet/setup

[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
  • 500 application/json
    Hide response attribute Show response attribute object
POST /api/fleet/setup
curl \
 --request POST https://<KIBANA_URL>/api/fleet/setup \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "isInitialized": true,
  "nonFatalErrors": [
    {
      "message": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (500)
{
  "message": "string"
}





































Bulk get package policies Beta

POST /api/fleet/package_policies/_bulk_get

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 404 application/json
    Hide response attribute Show response attribute object
POST /api/fleet/package_policies/_bulk_get
curl \
 --request POST https://<KIBANA_URL>/api/fleet/package_policies/_bulk_get \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"ids":["string"],"ignoreMissing":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "ids": [
    "string"
  ],
  "ignoreMissing": true
}
Response examples (200)
{
  "items": [
    {
      "agents": 42.0,
      "created_at": "string",
      "created_by": "string",
      "description": "string",
      "elasticsearch": {
        "privileges": {
          "cluster": [
            "string"
          ]
        }
      },
      "enabled": true,
      "id": "string",
      "inputs": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "policy_template": "string",
          "streams": [
            {
              "config": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              },
              "data_stream": {
                "dataset": "string",
                "elasticsearch": {
                  "dynamic_dataset": true,
                  "dynamic_namespace": true,
                  "privileges": {
                    "indices": [
                      "string"
                    ]
                  }
                },
                "type": "string"
              },
              "enabled": true,
              "id": "string",
              "keep_enabled": true,
              "release": "ga",
              "vars": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              }
            }
          ],
          "type": "string",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "is_managed": true,
      "name": "string",
      "namespace": "string",
      "output_id": "string",
      "overrides": {
        "inputs": {}
      },
      "package": {
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "name": "string",
        "requires_root": true,
        "title": "string",
        "version": "string"
      },
      "policy_id": "string",
      "policy_ids": [
        "string"
      ],
      "revision": 42.0,
      "secret_references": [
        {
          "id": "string"
        }
      ],
      "spaceIds": [
        "string"
      ],
      "supports_agentless": false,
      "updated_at": "string",
      "updated_by": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "message": "string"
}

Get a package policy Beta

GET /api/fleet/package_policies/{packagePolicyId}

Get a package policy by ID.

Query parameters

  • format string

    Values are simplified or legacy.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 404 application/json
    Hide response attribute Show response attribute object
GET /api/fleet/package_policies/{packagePolicyId}
curl \
 --request GET https://<KIBANA_URL>/api/fleet/package_policies/{packagePolicyId}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "message": "string"
}








Bulk delete package policies Beta

POST /api/fleet/package_policies/delete

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/package_policies/delete
curl \
 --request POST https://<KIBANA_URL>/api/fleet/package_policies/delete \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"packagePolicyIds":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "packagePolicyIds": [
    "string"
  ]
}
Response examples (200)
[
  {
    "body": {
      "message": "string"
    },
    "id": "string",
    "name": "string",
    "output_id": "string",
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "statusCode": 42.0,
    "success": true
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





































































































































Delete a conversation Beta

DELETE /api/security_ai_assistant/current_user/conversations/{id}

Delete an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • LLM API configuration.

      Additional properties are allowed.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The last time conversation was updated.

    • excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • isDefault boolean

      Is default conversation.

    • messages array[object]

      The conversation messages.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Additional properties are allowed.

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • trace Data

        Additional properties are allowed.

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object

      Additional properties are allowed.

      Hide summary attributes Show summary attributes object
      • How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • The last time conversation was updated.

    • users array[object] Required
      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
DELETE /api/security_ai_assistant/current_user/conversations/{id}
curl \
 --request DELETE https://<KIBANA_URL>/api/security_ai_assistant/current_user/conversations/{id}
Response examples (200)
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "createdAt": "string",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "isDefault": true,
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "namespace": "string",
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "timestamp": "string",
  "title": "string",
  "updatedAt": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




















Read a Knowledge Base Entry Beta

GET /api/security_ai_assistant/knowledge_base/entries/{id}

Read a Knowledge Base Entry

Path parameters

  • id string(nonempty) Required

    The Knowledge Base Entry's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Successful request returning a Knowledge Base Entry

    Any of:
    Hide attributes Show attributes
    • name string Required

      Name of the Knowledge Base Entry

    • namespace string Required

      Kibana Space, defaults to 'default' space

    • users array[object] Required

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Hide users attributes Show users attributes object
    • createdAt string Required

      Time the Knowledge Base Entry was created

    • createdBy string Required

      User who created the Knowledge Base Entry

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updatedAt string Required

      Time the Knowledge Base Entry was last updated

    • updatedBy string Required

      User who last updated the Knowledge Base Entry

    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Additional properties are allowed.

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/knowledge_base/entries/{id}
curl \
 --request GET https://<KIBANA_URL>/api/security_ai_assistant/knowledge_base/entries/{id}
Response examples (200)
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "string",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

































Delete a detection rule Beta

DELETE /api/detection_engine/rules

Delete a detection rule using the rule_id or id field.

Query parameters

  • id string(uuid)

    The rule's id value.

  • rule_id string

    The rule's rule_id value.

Responses

  • 200 application/json

    Indicates a successful call.

    Any of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

DELETE /api/detection_engine/rules
curl \
 --request DELETE https://<KIBANA_URL>/api/detection_engine/rules
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql"
}
























Assign and unassign users from detection alerts Beta

POST /api/detection_engine/signals/assignees

Assign users to detection alerts, and unassign them from alerts.

You cannot add and remove the same assignee in the same request.

application/json

Body Required

  • assignees object Required

    Details about the assignees to assign and unassign.

    Additional properties are allowed.

    Hide assignees attributes Show assignees attributes object
    • add array[string(nonempty)] Required

      A list of users ids to assign.

      Minimum length of each is 1.

    • remove array[string(nonempty)] Required

      A list of users ids to unassign.

      Minimum length of each is 1.

  • ids array[string(nonempty)] Required

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

Responses

  • 200 application/ndjson

    Indicates a successful call.

  • Invalid request.

POST /api/detection_engine/signals/assignees
curl \
 --request POST https://<KIBANA_URL>/api/detection_engine/signals/assignees \
 --header "Content-Type: application/json" \
 --data '{"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"],"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]}}'
Request examples
{
  "ids": [
    "681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
  ],
  "assignees": {
    "add": [
      "u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
    ],
    "remove": []
  }
}
{
  "ids": [
    "681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
  ],
  "assignees": {
    "add": [],
    "remove": [
      "u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
    ]
  }
}
Response examples (200)
{
  "took": "76,",
  "noops": 0,
  "total": "1,",
  "batches": "1,",
  "deleted": 0,
  "retries": [
    {
      "bulk": 0
    },
    {
      "search": 0
    }
  ],
  "updated": "1,",
  "failures": [],
  "timed_out": "false,",
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": "-1,",
  "throttled_until_millis": 0
}












List all detection rule tags Beta

GET /api/detection_engine/tags

List all unique tags from all detection rules.

Responses

  • 200 application/json

    Indicates a successful call

    String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

GET /api/detection_engine/tags
curl \
 --request GET https://<KIBANA_URL>/api/detection_engine/tags
Response examples (200)
[
  "string"
]

Create an endpoint exception list Beta

POST /api/endpoint_list

Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.

Responses

  • 200 application/json

    Successful response

    One of:
    Hide attributes Show attributes
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • id string(nonempty) Required

      Exception list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the list container.

      Additional properties are allowed.

    • name string Required

      The name of the exception list.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows.

    • tags array[string]

      String array containing words and phrases to help categorize exception containers.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      The type of exception list to be created. Different list types may denote where they can be utilized.

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version, automatically increasd on updates.

      Minimum value is 1.

  • 400 application/json

    Invalid input data

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
POST /api/endpoint_list
curl \
 --request POST https://<KIBANA_URL>/api/endpoint_list
Response examples (200)
{
  "_version": "string",
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "This list tracks allowlisted values.",
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "immutable": true,
  "list_id": "simple_list",
  "meta": {},
  "name": "My exception list",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "version": 42
}
{}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}












Delete an endpoint exception list item Beta

DELETE /api/endpoint_list/items

Delete an endpoint exception list item using the id or item_id field.

Query parameters

  • id string(nonempty)

    Either id or item_id must be specified

    Minimum length is 1.

  • item_id string(nonempty)

    Either id or item_id must be specified

    Minimum length is 1.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows.

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

  • 400 application/json

    Invalid input data

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 404 application/json

    Endpoint list item not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
DELETE /api/endpoint_list/items
curl \
 --request DELETE https://<KIBANA_URL>/api/endpoint_list/items
Response examples (200)
{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2025-05-04T09:42:00+00:00",
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "meta": {},
  "name": "string",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (404)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}