Export detection rules

Create a rule

POST /api/alerting/rule/{id}

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json

Body

actions array[object]

An action that runs under defined conditions.

Default value is [] (empty).
Hide actions attributes Show actions attributes object
- alerts_filter object
  
  Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
  
  Additional properties are NOT allowed.
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
- frequency object
  
  Additional properties are NOT allowed.
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
- id string Required
  
  The identifier for the connector saved object.
- params object
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Default value is {} (empty). Additional properties are allowed.
- use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
- uuid string
  
  A universally unique identifier (UUID) for the action.
alert_delay object

Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

Additional properties are NOT allowed.
Hide alert_delay attribute Show alert_delay attribute object
- active number Required
  
  The number of consecutive runs that must meet the rule conditions.
consumer string Required

The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
enabled boolean

Indicates whether you want to run the rule on an interval basis after it is created.

Default value is true.
flapping object | null

When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

Additional properties are NOT allowed.
Hide flapping attributes Show flapping attributes object | null
- look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
- status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
name string Required

The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when string | null

Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
rule_type_id string Required

The rule type identifier.
schedule object Required

The check interval, which specifies how frequently the rule conditions are checked.

Additional properties are NOT allowed.
Hide schedule attribute Show schedule attribute object
- interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
tags array[string]

The tags for the rule.

Default value is [] (empty).
throttle string | null

Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
params object

The parameters for the rule.
Any of:
params_property_apm_anomaly object params_property_apm_error_count object params_property_apm_transaction_duration object params_property_apm_transaction_error_rate object params_es_query_dsl_rule object params_es_query_esql_rule object params_es_query_kql_rule object params_index_threshold_rule object params_property_infra_inventory object Count object Ratio object params_property_infra_metric_threshold object params_property_slo_burn_rate object params_property_synthetics_uptime_tls object params_property_synthetics_monitor_status object
Hide attributes Show attributes

serviceName string

Filter the rule to apply to a specific service name.

transactionType string

Filter the rule to apply to a specific transaction type.

windowSize number Required

The size of the time window (in windowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window. For example: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the rule to apply to a specific environment.

anomalySeverityType string Required

The severity of anomalies that will generate alerts: critical, major, minor, or warning.

Values are critical, major, minor, or warning.
Hide attributes Show attributes

serviceName string

Filter the errors coming from your application to apply the rule to a specific service.

windowSize number Required

The time frame in which the errors must occur (in windowUnit units). Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the errors coming from your application to apply the rule to a specific environment.

threshold number Required

The error count threshold.

groupBy array[string]

Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.

Values are service.name, service.environment, transaction.name, or error.grouping_key. Default value is ["service.name", "service.environment"].

errorGroupingKey string

Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties.
Hide attributes Show attributes

serviceName string

Filter the rule to apply to a specific service.

transactionType string

Filter the rule to apply to a specific transaction type.

transactionName string

Filter the rule to apply to a specific transaction name.

windowSize number Required

The size of the time window (in windowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

windowUnit string Required

The type of units for the time window. For example: minutes, hours, or days.

Values are m, h, or d.

environment string Required

Filter the rule to apply to a specific environment.

threshold number Required

The latency threshold value.

groupBy array[string]

Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].

aggregationType string Required

The type of aggregation to perform.

Values are avg, 95th, or 99th.
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

transactionName string

The transaction name from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

threshold number Required

The error rate threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].
An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esQuery string Required

The query definition, which uses Elasticsearch Query DSL.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] | string Required

The indices to query.

One of:
array-1 array[string] string-2 string

searchType string

The type of query, in this case a query that uses Elasticsearch Query DSL.

Value is esQuery. Default value is esQuery.

size integer

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esqlQuery object Required

Hide esqlQuery attribute Show esqlQuery attribute object

esql string Required

The query definition, which uses Elasticsearch Query Language.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchType string Required

The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).

Value is esqlQuery.

size integer Required

When searchType is esqlQuery, this property is required but it does not affect the rule behavior.

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. When searchType is esqlQuery, this property is required and must be set to zero.

Minimum value of each is 0, maximum value of each is 0.

thresholdComparator string Required

The comparison function for the threshold. When searchType is esqlQuery, this property is required and must be set to ">". Since the threshold value must be 0, the result is that an alert occurs whenever the query returns results.

Value is >.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchConfiguration object

The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.

Hide searchConfiguration attributes Show searchConfiguration attributes object

filter array[object]

A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

Hide filter attributes Show filter attributes object

meta object

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

$state object

index string | array[string]

The indices to query.

One of:
string-1 string array-2 array[string]

query object

Hide query attributes Show query attributes object

language string

query string

searchType string Required

The type of query, in this case a text-based query that uses KQL or Lucene.

Value is searchSource.

size integer Required

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when rule_type_id is .index-threshold.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

filterKuery string

A KQL expression thats limits the scope of alerts.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] Required

The indices to query.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

metric string

Values are count, cpu, diskLatency, load, memory, memoryTotal, tx, rx, logRate, diskIOReadBytes, diskIOWriteBytes, s3TotalRequests, s3NumberOfObjects, s3BucketSize, s3DownloadBytes, s3UploadBytes, rdsConnections, rdsQueriesExecuted, rdsActiveTransactions, rdsLatency, sqsMessagesVisible, sqsMessagesDelayed, sqsMessagesSent, sqsMessagesEmpty, sqsOldestMessage, or custom.

timeSize number

timeUnit string

Values are s, m, h, or d.

sourceId string

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

customMetric object

Hide customMetric attributes Show customMetric attributes object

type string

Value is custom.

field string

aggregation string

Values are avg, max, min, or rate.

id string

label string

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

filterQuery string

filterQueryText string

nodeType string

Values are host, pod, container, awsEC2, awsS3, awsSQS, or awsRDS.

sourceId string

alertOnNoData boolean
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[array]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[object]

One of:
non count criterion object count criterion object custom criterion object

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

metric string

aggType string

Values are avg, max, min, cardinality, rate, count, sum, p95, p99, or custom.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is count.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is custom.

customMetric array[object]

One of:
object-1 object object-2 object

Hide attributes Show attributes

name string

aggType string

Values are avg, sum, max, min, or cardinality.

field string

equation string

label string

groupBy string | array[string]

One of:
string-1 string array-2 array[string]

filterQuery string

sourceId string

alertOnNoData boolean

alertOnGroupDisappear boolean
Hide attributes Show attributes

sloId string

The SLO identifier used by the rule

burnRateThreshold number

The burn rate threshold used to trigger the alert

maxBurnRateThreshold number

The maximum burn rate threshold value defined by the SLO error budget

longWindow object

The duration of the long window used to compute the burn rate

Hide longWindow attributes Show longWindow attributes object

value number

The duration value

unit string

The duration unit

shortWindow object

The duration of the short window used to compute the burn rate

Hide shortWindow attributes Show shortWindow attributes object

value number

The duration value

unit string

The duration unit
Hide attributes Show attributes

search string

certExpirationThreshold number

certAgeThreshold number
Hide attributes Show attributes

availability object

Hide availability attributes Show availability attributes object

range number

rangeUnit string

threshold string

filters string | object

One of:
string-1 string object-2 object Deprecated

locations array[string] Deprecated

numTimes number Required

search string

shouldCheckStatus boolean Required

shouldCheckAvailability boolean Required

timerangeCount number

timerangeUnit string

timerange object Deprecated

Hide timerange attributes Show timerange attributes object Deprecated

from string

to string

version number

isAutoGenerated boolean

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
409

Indicates that the rule id is already in use.

POST /api/alerting/rule/{id}

curl \
 --request POST 'https://<KIBANA_URL>/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'

Request examples

Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.

{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}

Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.

{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}

Response examples (200)

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).

{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).

{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}

The response for successfully creating an index threshold rule.

{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}

The response for successfully creating a tracking containment rule.

{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Disable a rule

POST /api/alerting/rule/{id}/_disable

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

application/json

Body

untrack boolean

Defines whether this rule's alerts should be untracked.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable

curl \
 --request POST 'https://<KIBANA_URL>/api/alerting/rule/{id}/_disable' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "untrack": true
}

Get single agent configuration

GET /api/apm/settings/agent-configuration/view

Api key auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

name string

Service name
environment string

Service environment

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- id string Required
- @timestamp number Required
  
  Timestamp
- agent_name string
  
  Agent name
- applied_by_agent boolean
  
  Applied by agent
- etag string Required
  
  etag is sent by the APM agent to indicate the etag of the last successfully applied configuration. If the etag matches an existing configuration its applied_by_agent property will be set to true. Every time a configuration is edited applied_by_agent is reset to false.
- service object Required
  
  Service
  
  Hide service attributes Show service attributes object
  
  environment string
  
  The environment of the service.
  
  name string
  
  The name of the service.
- settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration/view

curl \
 --request GET 'https://<KIBANA_URL>/api/apm/settings/agent-configuration/view' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Response examples (200)

{
  "id": "string",
  "@timestamp": 1730194190636,
  "agent_name": "string",
  "applied_by_agent": true,
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}

Response examples (400)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Delete a connector

DELETE /api/actions/connector/{id}

Api key auth

WARNING: When you delete a connector, it cannot be recovered.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

Responses

204

Indicates a successful call.

DELETE /api/actions/connector/{id}

curl \
 --request DELETE 'https://<KIBANA_URL>/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get data streams

GET /api/fleet/epm/data_streams

Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Query parameters

type string

Values are logs, metrics, traces, synthetics, or profiling.
datasetQuery string
sortOrder string

Values are asc or desc. Default value is asc.
uncategorisedOnly boolean

Default value is false.

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attribute Show items attribute object
  
  name string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/data_streams

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/data_streams' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "items": [
    {
      "name": "string"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get all data views

GET /api/data_views

Api key auth

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view array[object]
  
  Hide data_view attributes Show data_view attributes object
  
  id string
  
  name string
  
  namespaces array[string]
  
  title string
  
  typeMeta object
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

GET /api/data_views

curl \
 --request GET 'https://<KIBANA_URL>/api/data_views' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data_view": [
    {
      "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
      "name": "Kibana Sample Data eCommerce",
      "title": "kibana_sample_data_ecommerce",
      "typeMeta": {},
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
      "name": "Kibana Sample Data Flights",
      "title": "kibana_sample_data_flights",
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "Kibana Sample Data Logs",
      "title": "kibana_sample_data_logs",
      "namespaces": [
        "default"
      ]
    }
  ]
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Get a data view

GET /api/data_views/data_view/{viewId}

Api key auth

Path parameters

viewId string Required

An identifier for the data view.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view object
  
  Hide data_view attributes Show data_view attributes object
  
  allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
  
  fieldAttrs object
  
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
  
  fieldFormats object
  
  A map of field formats by field name.
  
  fields object
  
  id string
  
  name string
  
  The data view name.
  
  namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
  
  runtimeFieldMap object
  
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
  
  sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
  
  timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
  
  title string
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
  
  typeMeta object | null
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  
  Hide typeMeta attributes Show typeMeta attributes object | null
  
  aggs object
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object
  
  Properties for retrieving rollup fields.
  
  version string
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

GET /api/data_views/data_view/{viewId}

curl \
 --request GET 'https://<KIBANA_URL>/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data_view": {
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "sku": {
        "name": "sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "type": {
        "name": "type",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "user": {
        "name": "user",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "email": {
        "name": "email",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "category": {
        "name": "category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "currency": {
        "name": "currency",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_id": {
        "name": "order_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_date": {
        "name": "order_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_id": {
        "name": "customer_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week": {
        "name": "day_of_week",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer": {
        "name": "manufacturer",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products._id": {
        "name": "products._id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.sku": {
        "name": "products.sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week_i": {
        "name": "day_of_week_i",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "event.dataset": {
        "name": "event.dataset",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_phone": {
        "name": "customer_phone",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.location": {
        "name": "geoip.location",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.price": {
        "name": "products.price",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_quantity": {
        "name": "total_quantity",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_gender": {
        "name": "customer_gender",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.city_name": {
        "name": "geoip.city_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "category.keyword": {
        "name": "category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.region_name": {
        "name": "geoip.region_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category": {
        "name": "products.category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.quantity": {
        "name": "products.quantity",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name": {
        "name": "customer_full_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "customer_last_name": {
        "name": "customer_last_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.min_price": {
        "name": "products.min_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxful_total_price": {
        "name": "taxful_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_birth_date": {
        "name": "customer_birth_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name": {
        "name": "customer_first_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.base_price": {
        "name": "products.base_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.created_on": {
        "name": "products.created_on",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_id": {
        "name": "products.product_id",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "long"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.tax_amount": {
        "name": "products.tax_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxless_total_price": {
        "name": "taxless_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.continent_name": {
        "name": "geoip.continent_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer.keyword": {
        "name": "manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products._id.keyword": {
        "name": "products._id.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products._id"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer": {
        "name": "products.manufacturer",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.product_name": {
        "name": "products.product_name",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.taxful_price": {
        "name": "products.taxful_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_unique_products": {
        "name": "total_unique_products",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.country_iso_code": {
        "name": "geoip.country_iso_code",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.taxless_price": {
        "name": "products.taxless_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.base_unit_price": {
        "name": "products.base_unit_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_amount": {
        "name": "products.discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category.keyword": {
        "name": "products.category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name.keyword": {
        "name": "customer_full_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_full_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_last_name.keyword": {
        "name": "customer_last_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_last_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name.keyword": {
        "name": "customer_first_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_first_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_percentage": {
        "name": "products.discount_percentage",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer.keyword": {
        "name": "products.manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_name.keyword": {
        "name": "products.product_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.product_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.unit_discount_amount": {
        "name": "products.unit_discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzUsMV0=",
    "typeMeta": {},
    "fieldAttrs": {
      "products.price": {
        "count": 1
      },
      "total_quantity": {
        "count": 1
      },
      "products.manufacturer": {
        "count": 1
      },
      "products.product_name": {
        "count": 1
      }
    },
    "namespaces": [
      "default"
    ],
    "allowNoIndex": false,
    "fieldFormats": {
      "products.price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.min_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxful_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      },
      "products.base_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxless_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxful_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxless_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.base_unit_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "order_date",
    "runtimeFieldMap": {}
  }
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Get an agent binary download source

GET /api/fleet/agent_download_sources/{sourceId}

Api key auth

Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host string(uri) Required
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  The ID of the proxy to use for this download source. See the proxies API for more information.
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agent_download_sources/{sourceId}

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agent_download_sources/{sourceId}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "key": {
          "id": "string"
        }
      }
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string"
    }
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agent policies

GET /api/fleet/agent_policies

Api key auth

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.

Query parameters

page number
perPage number
sortField string
sortOrder string

Values are desc or asc.
showUpgradeable boolean
kuery string
noAgentCount boolean Deprecated

use withAgentCount instead
withAgentCount boolean

get policies with agent count
full boolean

get full policies with package policies populated
format string

Values are simplified or legacy.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  advanced_settings object
  
  Additional properties are NOT allowed.
  
  Hide advanced_settings attributes Show advanced_settings attributes object
  
  agent_download_target_directory
  
  agent_download_timeout
  
  agent_limits_go_max_procs
  
  agent_logging_files_interval
  
  agent_logging_files_keepfiles
  
  agent_logging_files_rotateeverybytes
  
  agent_logging_level
  
  agent_logging_metrics_period
  
  agent_logging_to_files
  
  agent_features array[object]
  
  Hide agent_features attributes Show agent_features attributes object
  
  enabled boolean Required
  
  name string Required
  
  agentless object
  
  Additional properties are NOT allowed.
  
  Hide agentless attribute Show agentless attribute object
  
  resources object
  
  Additional properties are NOT allowed.
  
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
  
  agents number
  
  data_output_id string | null
  
  description string
  
  download_source_id string | null
  
  fleet_server_host_id string | null
  
  global_data_tags array[object]
  
  User defined data tags that are added to all of the inputs. The values can be strings or numbers.
  
  Hide global_data_tags attributes Show global_data_tags attributes object
  
  name string Required
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  has_fleet_server boolean
  
  id string Required
  
  inactivity_timeout number
  
  Minimum value is 0. Default value is 1209600.
  
  is_default boolean
  
  is_default_fleet_server boolean
  
  is_managed boolean Required
  
  is_preconfigured boolean
  
  is_protected boolean Required
  
  Indicates whether the agent policy has tamper protection enabled. Default false.
  
  keep_monitoring_alive boolean | null
  
  When set to true, monitoring will be enabled but logs/metrics collection will be disabled
  
  Default value is false.
  
  monitoring_diagnostics object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
  
  limit object
  
  Additional properties are NOT allowed.
  
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
  
  uploader object
  
  Additional properties are NOT allowed.
  
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
  
  monitoring_enabled array[string]
  
  Values are logs, metrics, or traces.
  
  monitoring_http object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_http attributes Show monitoring_http attributes object
  
  buffer object
  
  Additional properties are NOT allowed.
  
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
  
  enabled boolean
  
  host string
  
  port number
  
  Minimum value is 0, maximum value is 65353.
  
  monitoring_output_id string | null
  
  monitoring_pprof_enabled boolean
  
  name string Required
  
  Minimum length is 1.
  
  namespace string Required
  
  Minimum length is 1.
  
  overrides object | null
  
  Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are allowed.
  
  package_policies array[string] | array[object]
  
  Any of:
  array-1 array[string] array-2 array[object]
  
  This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
  
  Hide attributes Show attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  required_versions array[object] | null
  
  Hide required_versions attributes Show required_versions attributes object
  
  percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
  
  version string Required
  
  Target version for automatic agent upgrade
  
  revision number Required
  
  schema_version string
  
  space_ids array[string]
  
  status string Required
  
  Values are active or inactive.
  
  supports_agentless boolean | null
  
  Indicates whether the agent policy supports agentless integrations.
  
  Default value is false.
  
  unenroll_timeout number
  
  Minimum value is 0.
  
  unprivileged_agents number
  
  updated_at string Required
  
  updated_by string Required
  
  version string
- page number Required
- perPage number Required
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agent_policies

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agent_policies' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "items": [
    {
      "advanced_settings": {},
      "agent_features": [
        {
          "enabled": true,
          "name": "string"
        }
      ],
      "agentless": {
        "resources": {
          "requests": {
            "cpu": "string",
            "memory": "string"
          }
        }
      },
      "agents": 42.0,
      "data_output_id": "string",
      "description": "string",
      "download_source_id": "string",
      "fleet_server_host_id": "string",
      "global_data_tags": [
        {
          "name": "string",
          "value": "string"
        }
      ],
      "has_fleet_server": true,
      "id": "string",
      "inactivity_timeout": 1209600,
      "is_default": true,
      "is_default_fleet_server": true,
      "is_managed": true,
      "is_preconfigured": true,
      "is_protected": true,
      "keep_monitoring_alive": false,
      "monitoring_diagnostics": {
        "limit": {
          "burst": 42.0,
          "interval": "string"
        },
        "uploader": {
          "init_dur": "string",
          "max_dur": "string",
          "max_retries": 42.0
        }
      },
      "monitoring_enabled": [
        "logs"
      ],
      "monitoring_http": {
        "buffer": {
          "enabled": false
        },
        "enabled": true,
        "host": "string",
        "port": 42.0
      },
      "monitoring_output_id": "string",
      "monitoring_pprof_enabled": true,
      "name": "string",
      "namespace": "string",
      "overrides": {},
      "package_policies": [
        "string"
      ],
      "required_versions": [
        {
          "percentage": 42.0,
          "version": "string"
        }
      ],
      "revision": 42.0,
      "schema_version": "string",
      "space_ids": [
        "string"
      ],
      "status": "active",
      "supports_agentless": false,
      "unenroll_timeout": 42.0,
      "unprivileged_agents": 42.0,
      "updated_at": "string",
      "updated_by": "string",
      "version": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Create an agent policy

POST /api/fleet/agent_policies

Api key auth

[Required authorization] Route required privileges: fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Body

advanced_settings object

Additional properties are NOT allowed.
Hide advanced_settings attributes Show advanced_settings attributes object
agent_features array[object]
Hide agent_features attributes Show agent_features attributes object
- enabled boolean Required
- name string Required
agentless object

Additional properties are NOT allowed.
Hide agentless attribute Show agentless attribute object
- resources object
  
  Additional properties are NOT allowed.
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
data_output_id string | null
description string
download_source_id string | null
fleet_server_host_id string | null
force boolean
global_data_tags array[object]

User defined data tags that are added to all of the inputs. The values can be strings or numbers.
Hide global_data_tags attributes Show global_data_tags attributes object
- name string Required
- value string | number Required
  
  Any of:
  string-1 string number-2 number
has_fleet_server boolean
id string
inactivity_timeout number

Minimum value is 0. Default value is 1209600.
is_default boolean
is_default_fleet_server boolean
is_managed boolean
is_protected boolean
keep_monitoring_alive boolean | null

When set to true, monitoring will be enabled but logs/metrics collection will be disabled

Default value is false.
monitoring_diagnostics object

Additional properties are NOT allowed.
Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
- limit object
  
  Additional properties are NOT allowed.
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
- uploader object
  
  Additional properties are NOT allowed.
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
monitoring_enabled array[string]

Values are logs, metrics, or traces.
monitoring_http object

Additional properties are NOT allowed.
Hide monitoring_http attributes Show monitoring_http attributes object
- buffer object
  
  Additional properties are NOT allowed.
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
- enabled boolean
- host string
- port number
  
  Minimum value is 0, maximum value is 65353.
monitoring_output_id string | null
monitoring_pprof_enabled boolean
name string Required

Minimum length is 1.
namespace string Required

Minimum length is 1.
overrides object | null

Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.

Additional properties are allowed.
required_versions array[object] | null
Hide required_versions attributes Show required_versions attributes object
- percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
- version string Required
  
  Target version for automatic agent upgrade
space_ids array[string]
supports_agentless boolean | null

Indicates whether the agent policy supports agentless integrations.

Default value is false.
unenroll_timeout number

Minimum value is 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  advanced_settings object
  
  Additional properties are NOT allowed.
  
  Hide advanced_settings attributes Show advanced_settings attributes object
  
  agent_download_target_directory
  
  agent_download_timeout
  
  agent_limits_go_max_procs
  
  agent_logging_files_interval
  
  agent_logging_files_keepfiles
  
  agent_logging_files_rotateeverybytes
  
  agent_logging_level
  
  agent_logging_metrics_period
  
  agent_logging_to_files
  
  agent_features array[object]
  
  Hide agent_features attributes Show agent_features attributes object
  
  enabled boolean Required
  
  name string Required
  
  agentless object
  
  Additional properties are NOT allowed.
  
  Hide agentless attribute Show agentless attribute object
  
  resources object
  
  Additional properties are NOT allowed.
  
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
  
  agents number
  
  data_output_id string | null
  
  description string
  
  download_source_id string | null
  
  fleet_server_host_id string | null
  
  global_data_tags array[object]
  
  User defined data tags that are added to all of the inputs. The values can be strings or numbers.
  
  Hide global_data_tags attributes Show global_data_tags attributes object
  
  name string Required
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  has_fleet_server boolean
  
  id string Required
  
  inactivity_timeout number
  
  Minimum value is 0. Default value is 1209600.
  
  is_default boolean
  
  is_default_fleet_server boolean
  
  is_managed boolean Required
  
  is_preconfigured boolean
  
  is_protected boolean Required
  
  Indicates whether the agent policy has tamper protection enabled. Default false.
  
  keep_monitoring_alive boolean | null
  
  When set to true, monitoring will be enabled but logs/metrics collection will be disabled
  
  Default value is false.
  
  monitoring_diagnostics object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
  
  limit object
  
  Additional properties are NOT allowed.
  
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
  
  uploader object
  
  Additional properties are NOT allowed.
  
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
  
  monitoring_enabled array[string]
  
  Values are logs, metrics, or traces.
  
  monitoring_http object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_http attributes Show monitoring_http attributes object
  
  buffer object
  
  Additional properties are NOT allowed.
  
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
  
  enabled boolean
  
  host string
  
  port number
  
  Minimum value is 0, maximum value is 65353.
  
  monitoring_output_id string | null
  
  monitoring_pprof_enabled boolean
  
  name string Required
  
  Minimum length is 1.
  
  namespace string Required
  
  Minimum length is 1.
  
  overrides object | null
  
  Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are allowed.
  
  package_policies array[string] | array[object]
  
  Any of:
  array-1 array[string] array-2 array[object]
  
  This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
  
  Hide attributes Show attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  required_versions array[object] | null
  
  Hide required_versions attributes Show required_versions attributes object
  
  percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
  
  version string Required
  
  Target version for automatic agent upgrade
  
  revision number Required
  
  schema_version string
  
  space_ids array[string]
  
  status string Required
  
  Values are active or inactive.
  
  supports_agentless boolean | null
  
  Indicates whether the agent policy supports agentless integrations.
  
  Default value is false.
  
  unenroll_timeout number
  
  Minimum value is 0.
  
  unprivileged_agents number
  
  updated_at string Required
  
  updated_by string Required
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agent_policies

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agent_policies' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"advanced_settings":{},"agent_features":[{"enabled":true,"name":"string"}],"agentless":{"resources":{"requests":{"cpu":"string","memory":"string"}}},"data_output_id":"string","description":"string","download_source_id":"string","fleet_server_host_id":"string","force":true,"global_data_tags":[{"name":"string","value":"string"}],"has_fleet_server":true,"id":"string","inactivity_timeout":1209600,"is_default":true,"is_default_fleet_server":true,"is_managed":true,"is_protected":true,"keep_monitoring_alive":false,"monitoring_diagnostics":{"limit":{"burst":42.0,"interval":"string"},"uploader":{"init_dur":"string","max_dur":"string","max_retries":42.0}},"monitoring_enabled":["logs"],"monitoring_http":{"buffer":{"enabled":false},"enabled":true,"host":"string","port":42.0},"monitoring_output_id":"string","monitoring_pprof_enabled":true,"name":"string","namespace":"string","overrides":{},"required_versions":[{"percentage":42.0,"version":"string"}],"space_ids":["string"],"supports_agentless":false,"unenroll_timeout":42.0}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "advanced_settings": {},
  "agent_features": [
    {
      "enabled": true,
      "name": "string"
    }
  ],
  "agentless": {
    "resources": {
      "requests": {
        "cpu": "string",
        "memory": "string"
      }
    }
  },
  "data_output_id": "string",
  "description": "string",
  "download_source_id": "string",
  "fleet_server_host_id": "string",
  "force": true,
  "global_data_tags": [
    {
      "name": "string",
      "value": "string"
    }
  ],
  "has_fleet_server": true,
  "id": "string",
  "inactivity_timeout": 1209600,
  "is_default": true,
  "is_default_fleet_server": true,
  "is_managed": true,
  "is_protected": true,
  "keep_monitoring_alive": false,
  "monitoring_diagnostics": {
    "limit": {
      "burst": 42.0,
      "interval": "string"
    },
    "uploader": {
      "init_dur": "string",
      "max_dur": "string",
      "max_retries": 42.0
    }
  },
  "monitoring_enabled": [
    "logs"
  ],
  "monitoring_http": {
    "buffer": {
      "enabled": false
    },
    "enabled": true,
    "host": "string",
    "port": 42.0
  },
  "monitoring_output_id": "string",
  "monitoring_pprof_enabled": true,
  "name": "string",
  "namespace": "string",
  "overrides": {},
  "required_versions": [
    {
      "percentage": 42.0,
      "version": "string"
    }
  ],
  "space_ids": [
    "string"
  ],
  "supports_agentless": false,
  "unenroll_timeout": 42.0
}

Response examples (200)

{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Copy an agent policy

POST /api/fleet/agent_policies/{agentPolicyId}/copy

Api key auth

Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

format string

Values are simplified or legacy.

application/json

Body

description string
name string Required

Minimum length is 1.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  advanced_settings object
  
  Additional properties are NOT allowed.
  
  Hide advanced_settings attributes Show advanced_settings attributes object
  
  agent_download_target_directory
  
  agent_download_timeout
  
  agent_limits_go_max_procs
  
  agent_logging_files_interval
  
  agent_logging_files_keepfiles
  
  agent_logging_files_rotateeverybytes
  
  agent_logging_level
  
  agent_logging_metrics_period
  
  agent_logging_to_files
  
  agent_features array[object]
  
  Hide agent_features attributes Show agent_features attributes object
  
  enabled boolean Required
  
  name string Required
  
  agentless object
  
  Additional properties are NOT allowed.
  
  Hide agentless attribute Show agentless attribute object
  
  resources object
  
  Additional properties are NOT allowed.
  
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
  
  agents number
  
  data_output_id string | null
  
  description string
  
  download_source_id string | null
  
  fleet_server_host_id string | null
  
  global_data_tags array[object]
  
  User defined data tags that are added to all of the inputs. The values can be strings or numbers.
  
  Hide global_data_tags attributes Show global_data_tags attributes object
  
  name string Required
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  has_fleet_server boolean
  
  id string Required
  
  inactivity_timeout number
  
  Minimum value is 0. Default value is 1209600.
  
  is_default boolean
  
  is_default_fleet_server boolean
  
  is_managed boolean Required
  
  is_preconfigured boolean
  
  is_protected boolean Required
  
  Indicates whether the agent policy has tamper protection enabled. Default false.
  
  keep_monitoring_alive boolean | null
  
  When set to true, monitoring will be enabled but logs/metrics collection will be disabled
  
  Default value is false.
  
  monitoring_diagnostics object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
  
  limit object
  
  Additional properties are NOT allowed.
  
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
  
  uploader object
  
  Additional properties are NOT allowed.
  
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
  
  monitoring_enabled array[string]
  
  Values are logs, metrics, or traces.
  
  monitoring_http object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_http attributes Show monitoring_http attributes object
  
  buffer object
  
  Additional properties are NOT allowed.
  
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
  
  enabled boolean
  
  host string
  
  port number
  
  Minimum value is 0, maximum value is 65353.
  
  monitoring_output_id string | null
  
  monitoring_pprof_enabled boolean
  
  name string Required
  
  Minimum length is 1.
  
  namespace string Required
  
  Minimum length is 1.
  
  overrides object | null
  
  Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are allowed.
  
  package_policies array[string] | array[object]
  
  Any of:
  array-1 array[string] array-2 array[object]
  
  This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
  
  Hide attributes Show attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  required_versions array[object] | null
  
  Hide required_versions attributes Show required_versions attributes object
  
  percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
  
  version string Required
  
  Target version for automatic agent upgrade
  
  revision number Required
  
  schema_version string
  
  space_ids array[string]
  
  status string Required
  
  Values are active or inactive.
  
  supports_agentless boolean | null
  
  Indicates whether the agent policy supports agentless integrations.
  
  Default value is false.
  
  unenroll_timeout number
  
  Minimum value is 0.
  
  unprivileged_agents number
  
  updated_at string Required
  
  updated_by string Required
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agent_policies/{agentPolicyId}/copy

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agent_policies/{agentPolicyId}/copy' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","name":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "name": "string"
}

Response examples (200)

{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a package

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  Hide attributes Show attributes
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}

curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Install Kibana assets for a package

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets

Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string Required

application/json

Body

force boolean
space_ids array[string]

When provided install assets in the specified spaces instead of the current space.

At least 1 element.

Responses

200 application/json
Hide response attribute Show response attribute object
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"space_ids":["string"]}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "space_ids": [
    "string"
  ]
}

Response examples (200)

{
  "success": true
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Update output

PUT /api/fleet/outputs/{outputId}

Api key auth

Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

outputId string Required

application/json

Body object

allow_edit array[string]
ca_sha256 string | null
ca_trusted_fingerprint string | null
config_yaml string | null
hosts array[string(uri)]

At least 1 element.
id string
is_default boolean
is_default_monitoring boolean
is_internal boolean
is_preconfigured boolean
name string
preset string

Values are balanced, custom, throughput, scale, or latency.
proxy_id string | null
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
shipper object | null

Additional properties are NOT allowed.
Hide shipper attributes Show shipper attributes object | null
- compression_level number | null Required
- disk_queue_compression_enabled boolean | null Required
- disk_queue_enabled boolean | null
  
  Default value is false.
- disk_queue_encryption_enabled boolean | null Required
- disk_queue_max_size number | null Required
- disk_queue_path string | null Required
- loadbalance boolean | null Required
- max_batch_bytes number | null Required
- mem_queue_events number | null Required
- queue_flush_timeout number | null Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- key string
- verification_mode string
  
  Values are full, none, certificate, or strict.
type string

Value is elasticsearch.

allow_edit array[string]
ca_sha256 string | null
ca_trusted_fingerprint string | null
config_yaml string | null
hosts array[string(uri)]

At least 1 element.
id string
is_default boolean
is_default_monitoring boolean
is_internal boolean
is_preconfigured boolean
kibana_api_key string | null
kibana_url string | null
name string
preset string

Values are balanced, custom, throughput, scale, or latency.
proxy_id string | null
secrets object

Additional properties are NOT allowed.
Hide secrets attributes Show secrets attributes object
- service_token object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
service_token string | null
shipper object | null

Additional properties are NOT allowed.
Hide shipper attributes Show shipper attributes object | null
- compression_level number | null Required
- disk_queue_compression_enabled boolean | null Required
- disk_queue_enabled boolean | null
  
  Default value is false.
- disk_queue_encryption_enabled boolean | null Required
- disk_queue_max_size number | null Required
- disk_queue_path string | null Required
- loadbalance boolean | null Required
- max_batch_bytes number | null Required
- mem_queue_events number | null Required
- queue_flush_timeout number | null Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- key string
- verification_mode string
  
  Values are full, none, certificate, or strict.
sync_integrations boolean
sync_uninstalled_integrations boolean
type string

Value is remote_elasticsearch.

allow_edit array[string]
ca_sha256 string | null
ca_trusted_fingerprint string | null
config_yaml string | null
hosts array[string]

At least 1 element.
id string
is_default boolean
is_default_monitoring boolean
is_internal boolean
is_preconfigured boolean
name string
proxy_id string | null
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
shipper object | null

Additional properties are NOT allowed.
Hide shipper attributes Show shipper attributes object | null
- compression_level number | null Required
- disk_queue_compression_enabled boolean | null Required
- disk_queue_enabled boolean | null
  
  Default value is false.
- disk_queue_encryption_enabled boolean | null Required
- disk_queue_max_size number | null Required
- disk_queue_path string | null Required
- loadbalance boolean | null Required
- max_batch_bytes number | null Required
- mem_queue_events number | null Required
- queue_flush_timeout number | null Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- key string
- verification_mode string
  
  Values are full, none, certificate, or strict.
type string

Value is logstash.

allow_edit array[string]
auth_type string

Values are none, user_pass, ssl, or kerberos.
broker_timeout number
ca_sha256 string | null
ca_trusted_fingerprint string | null
client_id string
compression string

Values are gzip, snappy, lz4, or none.
compression_level array | null | boolean | number | object | string Required

Any of:
array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
config_yaml string | null
connection_type array | null | boolean | number | object | string Required

Any of:
array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
hash object

Additional properties are NOT allowed.
Hide hash attributes Show hash attributes object
- hash string
- random boolean
headers array[object]
Hide headers attributes Show headers attributes object
- key string Required
- value string Required
hosts array[string]

At least 1 element.
id string
is_default boolean

Default value is false.
is_default_monitoring boolean

Default value is false.
is_internal boolean
is_preconfigured boolean
key string
name string Required
partition string

Values are random, round_robin, or hash.
password array | null | boolean | number | object | string Required

Any of:
array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
proxy_id string | null
random object

Additional properties are NOT allowed.
Hide random attribute Show random attribute object
- group_events number
required_acks integer

Values are 1, 0, or -1.
round_robin object

Additional properties are NOT allowed.
Hide round_robin attribute Show round_robin attribute object
- group_events number
sasl object | null

Additional properties are NOT allowed.
Hide sasl attribute Show sasl attribute object | null
- mechanism string
  
  Values are PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
secrets object

Additional properties are NOT allowed.
Hide secrets attributes Show secrets attributes object
- password object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string Required
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
shipper object | null

Additional properties are NOT allowed.
Hide shipper attributes Show shipper attributes object | null
- compression_level number | null Required
- disk_queue_compression_enabled boolean | null Required
- disk_queue_enabled boolean | null
  
  Default value is false.
- disk_queue_encryption_enabled boolean | null Required
- disk_queue_max_size number | null Required
- disk_queue_path string | null Required
- loadbalance boolean | null Required
- max_batch_bytes number | null Required
- mem_queue_events number | null Required
- queue_flush_timeout number | null Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- key string
- verification_mode string
  
  Values are full, none, certificate, or strict.
timeout number
topic string
type string

Value is kafka.
username array | null | boolean | number | object | string Required

Any of:
array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
version string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Any of:
  object-1 object object-2 object object-3 object object-4 object
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  kibana_api_key string | null
  
  kibana_url string | null
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  service_token object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  service_token string | null
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  sync_integrations boolean
  
  sync_uninstalled_integrations boolean
  
  type string Required
  
  Value is remote_elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is logstash.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  auth_type string Required
  
  Values are none, user_pass, ssl, or kerberos.
  
  broker_timeout number
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  client_id string
  
  compression string
  
  Values are gzip, snappy, lz4, or none.
  
  compression_level array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  config_yaml string | null
  
  connection_type array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  hash object
  
  Additional properties are allowed.
  
  Hide hash attributes Show hash attributes object
  
  hash string
  
  random boolean
  
  headers array[object]
  
  Hide headers attributes Show headers attributes object
  
  key string Required
  
  value string Required
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  key string
  
  name string Required
  
  partition string
  
  Values are random, round_robin, or hash.
  
  password array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  proxy_id string | null
  
  random object
  
  Additional properties are allowed.
  
  Hide random attribute Show random attribute object
  
  group_events number
  
  required_acks integer
  
  Values are 1, 0, or -1.
  
  round_robin object
  
  Additional properties are allowed.
  
  Hide round_robin attribute Show round_robin attribute object
  
  group_events number
  
  sasl object | null
  
  Additional properties are allowed.
  
  Hide sasl attribute Show sasl attribute object | null
  
  mechanism string
  
  Values are PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  password object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string Required
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  timeout number
  
  topic string
  
  type string Required
  
  Value is kafka.
  
  username array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

PUT /api/fleet/outputs/{outputId}

curl \
 --request PUT 'https://<KIBANA_URL>/api/fleet/outputs/{outputId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"allow_edit":["string"],"ca_sha256":"string","ca_trusted_fingerprint":"string","config_yaml":"string","hosts":["https://example.com"],"id":"string","is_default":true,"is_default_monitoring":true,"is_internal":true,"is_preconfigured":true,"name":"string","preset":"balanced","proxy_id":"string","secrets":{"ssl":{"key":{"id":"string"}}},"shipper":{"compression_level":42.0,"disk_queue_compression_enabled":true,"disk_queue_enabled":false,"disk_queue_encryption_enabled":true,"disk_queue_max_size":42.0,"disk_queue_path":"string","loadbalance":true,"max_batch_bytes":42.0,"mem_queue_events":42.0,"queue_flush_timeout":42.0},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string","verification_mode":"full"},"type":"elasticsearch"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "elasticsearch"
}

# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "kibana_api_key": "string",
  "kibana_url": "string",
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "service_token": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "service_token": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "sync_integrations": true,
  "sync_uninstalled_integrations": true,
  "type": "remote_elasticsearch"
}

# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "logstash"
}

# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "auth_type": "none",
  "broker_timeout": 42.0,
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "client_id": "string",
  "compression": "gzip",
  "compression_level": [],
  "config_yaml": "string",
  "connection_type": [],
  "hash": {
    "hash": "string",
    "random": true
  },
  "headers": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "key": "string",
  "name": "string",
  "partition": "random",
  "password": [],
  "proxy_id": "string",
  "random": {
    "group_events": 42.0
  },
  "required_acks": 1,
  "round_robin": {
    "group_events": 42.0
  },
  "sasl": {
    "mechanism": "PLAIN"
  },
  "secrets": {
    "password": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "timeout": 42.0,
  "topic": "string",
  "type": "kafka",
  "username": [],
  "version": "string"
}

Response examples (200)

{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "key": {
          "id": "string"
        }
      }
    },
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete output

DELETE /api/fleet/outputs/{outputId}

Api key auth

Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
404 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/outputs/{outputId}

curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/outputs/{outputId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "id": "string"
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Response examples (404)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Update a package policy

PUT /api/fleet/package_policies/{packagePolicyId}

Api key auth

Update a package policy by ID.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

format string

Values are simplified or legacy.

application/json

Body object

additional_datastreams_permissions array[string] | null

Additional datastream permissions, that will be added to the agent policy.
description string

Package policy description
enabled boolean
force boolean
inputs array[object]
Hide inputs attributes Show inputs attributes object
- config object
  
  Package variable (see integration documentation for more information)
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
- enabled boolean Required
- id string
- keep_enabled boolean
- policy_template string
- streams array[object]
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
- type string Required
- vars object
  
  Package variable (see integration documentation for more information)
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
is_managed boolean
name string
namespace string

The package policy namespace. Leave blank to inherit the agent policy's namespace.
output_id string | null
overrides object | null

Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

Additional properties are NOT allowed.
Hide overrides attribute Show overrides attribute object | null
- inputs object
  
  Additional properties are allowed.
package object

Additional properties are NOT allowed.
Hide package attributes Show package attributes object
- experimental_data_stream_features array[object]
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
- name string Required
  
  Package name
- requires_root boolean
- title string
- version string Required
  
  Package version
policy_id string | null Deprecated

Agent policy ID where that package policy will be added
policy_ids array[string]

Agent policy IDs where that package policy will be added
supports_agentless boolean | null

Indicates whether the package policy belongs to an agentless agent policy.

Default value is false.
vars object

Package variable (see integration documentation for more information)
Hide vars attribute Show vars attribute object
- * object Additional properties
  
  Additional properties are NOT allowed.
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
version string

additional_datastreams_permissions array[string] | null

Additional datastream permissions, that will be added to the agent policy.
description string
force boolean
id string
inputs object

Package policy inputs (see integration documentation to know what inputs are available)
Hide inputs attribute Show inputs attribute object
- * object Additional properties
  
  Additional properties are NOT allowed.
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
name string Required
namespace string
output_id string | null
package object Required

Additional properties are NOT allowed.
Hide package attributes Show package attributes object
- experimental_data_stream_features array[object]
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
- name string Required
  
  Package name
- requires_root boolean
- title string
- version string Required
  
  Package version
policy_id string | null
policy_ids array[string]
supports_agentless boolean | null

Indicates whether the package policy belongs to an agentless agent policy.

Default value is false.
vars object

Input/stream level variable (see integration documentation for more information)

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
403 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

PUT /api/fleet/package_policies/{packagePolicyId}

curl \
 --request PUT 'https://<KIBANA_URL>/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"additional_datastreams_permissions":["string"],"description":"string","enabled":true,"force":true,"inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"version":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "additional_datastreams_permissions": [
    "string"
  ],
  "description": "string",
  "enabled": true,
  "force": true,
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  },
  "version": "string"
}

# Headers
kbn-xsrf: true

# Payload
{
  "additional_datastreams_permissions": [
    "string"
  ],
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}

Response examples (200)

{
  "item": {
    "additional_datastreams_permissions": [
      "string"
    ],
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Response examples (403)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a package policy

DELETE /api/fleet/package_policies/{packagePolicyId}

Api key auth

Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/package_policies/{packagePolicyId}

curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "id": "string"
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Dry run a package policy upgrade

POST /api/fleet/package_policies/upgrade/dryrun

Api key auth

[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

packagePolicyIds array[string] Required
packageVersion string

Responses

200 application/json
Hide response attributes Show response attributes object
- agent_diff array[array]
  
  Hide agent_diff attributes Show agent_diff attributes object
  
  data_stream object Required
  
  Additional properties are allowed.
  
  Hide data_stream attribute Show data_stream attribute object
  
  namespace string Required
  
  id string Required
  
  meta object
  
  Additional properties are allowed.
  
  Hide meta attribute Show meta attribute object
  
  package object Required
  
  Additional properties are allowed.
  
  Hide package attributes Show package attributes object
  
  name string Required
  
  version string Required
  
  name string Required
  
  package_policy_id string Required
  
  processors array[object]
  
  Hide processors attribute Show processors attribute object
  
  add_fields object Required
  
  Additional properties are allowed.
  
  Hide add_fields attributes Show add_fields attributes object
  
  fields object Required
  
  target string Required
  
  revision number Required
  
  streams array[object]
  
  Hide streams attributes Show streams attributes object
  
  data_stream object Required
  
  Additional properties are allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  type string
  
  id string
  
  type string Required
  
  use_output string Required
- body object
  
  Additional properties are NOT allowed.
  
  Hide body attribute Show body attribute object
  
  message string Required
- diff array[object]
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  Hide attributes Show attributes
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  description string
  
  Package policy description
  
  enabled boolean Required
  
  errors array[object]
  
  Hide errors attributes Show errors attributes object
  
  key string
  
  message string Required
  
  force boolean
  
  id string
  
  inputs array[object] Required
  
  Hide inputs attributes Show inputs attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  is_managed boolean
  
  missingVars array[string]
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
- hasErrors boolean Required
- name string
- statusCode number
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/package_policies/upgrade/dryrun

curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/package_policies/upgrade/dryrun' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"packagePolicyIds":["string"],"packageVersion":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "packagePolicyIds": [
    "string"
  ],
  "packageVersion": "string"
}

Response examples (200)

[
  {
    "agent_diff": [
      [
        {
          "data_stream": {
            "namespace": "string"
          },
          "id": "string",
          "meta": {
            "package": {
              "name": "string",
              "version": "string"
            }
          },
          "name": "string",
          "package_policy_id": "string",
          "processors": [
            {
              "add_fields": {
                "fields": {},
                "target": "string"
              }
            }
          ],
          "revision": 42.0,
          "streams": [
            {
              "data_stream": {
                "dataset": "string",
                "type": "string"
              },
              "id": "string"
            }
          ],
          "type": "string",
          "use_output": "string"
        }
      ]
    ],
    "body": {
      "message": "string"
    },
    "diff": [
      {
        "additional_datastreams_permissions": [
          "string"
        ],
        "agents": 42.0,
        "created_at": "string",
        "created_by": "string",
        "description": "string",
        "elasticsearch": {
          "privileges": {
            "cluster": [
              "string"
            ]
          }
        },
        "enabled": true,
        "id": "string",
        "inputs": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "policy_template": "string",
            "streams": [
              {
                "config": {
                  "additionalProperty1": {
                    "frozen": true,
                    "type": "string"
                  },
                  "additionalProperty2": {
                    "frozen": true,
                    "type": "string"
                  }
                },
                "data_stream": {
                  "dataset": "string",
                  "elasticsearch": {
                    "dynamic_dataset": true,
                    "dynamic_namespace": true,
                    "privileges": {
                      "indices": [
                        "string"
                      ]
                    }
                  },
                  "type": "string"
                },
                "enabled": true,
                "id": "string",
                "keep_enabled": true,
                "release": "ga",
                "vars": {
                  "additionalProperty1": {
                    "frozen": true,
                    "type": "string"
                  },
                  "additionalProperty2": {
                    "frozen": true,
                    "type": "string"
                  }
                }
              }
            ],
            "type": "string",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "is_managed": true,
        "name": "string",
        "namespace": "string",
        "output_id": "string",
        "overrides": {
          "inputs": {}
        },
        "package": {
          "experimental_data_stream_features": [
            {
              "data_stream": "string",
              "features": {
                "doc_value_only_numeric": true,
                "doc_value_only_other": true,
                "synthetic_source": true,
                "tsdb": true
              }
            }
          ],
          "name": "string",
          "requires_root": true,
          "title": "string",
          "version": "string"
        },
        "policy_id": "string",
        "policy_ids": [
          "string"
        ],
        "revision": 42.0,
        "secret_references": [
          {
            "id": "string"
          }
        ],
        "spaceIds": [
          "string"
        ],
        "supports_agentless": false,
        "updated_at": "string",
        "updated_by": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "version": "string"
      }
    ],
    "hasErrors": true,
    "name": "string",
    "statusCode": 42.0
  }
]

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get proxies

GET /api/fleet/proxies

Api key auth

[Required authorization] Route required privileges: fleet-settings-read.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  certificate string | null
  
  certificate_authorities string | null
  
  certificate_key string | null
  
  id string Required
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_headers object | null
  
  url string Required
- page number Required
- perPage number Required
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/proxies

curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/proxies' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "items": [
    {
      "certificate": "string",
      "certificate_authorities": "string",
      "certificate_key": "string",
      "id": "string",
      "is_preconfigured": false,
      "name": "string",
      "proxy_headers": {},
      "url": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a Fleet Server host

DELETE /api/fleet/fleet_server_hosts/{itemId}

Api key auth

Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/fleet_server_hosts/{itemId}

curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/fleet_server_hosts/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "id": "string"
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Create or update a role

PUT /api/security/role/{name}

Api key auth

Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required

The role name.

Minimum length is 1, maximum length is 1024.

Query parameters

createOnly boolean

When true, a role is not overwritten if it already exists.

Default value is false.

application/json

Body

description string

A description for the role.

Maximum length is 2048.
elasticsearch object Required

Additional properties are NOT allowed.
Hide elasticsearch attributes Show elasticsearch attributes object
- cluster array[string]
  
  Cluster privileges that define the cluster level actions that users can perform.
- indices array[object]
  Hide indices attributes Show indices attributes object
  
  allow_restricted_indices boolean
  
  Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.
  
  field_security object
  
  Hide field_security attribute Show field_security attribute object
  
  * array[string] Additional properties
  
  The document fields that the role members have read access to.
  
  names array[string] Required
  
  The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).
  
  At least 1 element.
  
  privileges array[string] Required
  
  The index level privileges that the role members have for the data streams and indices.
  
  At least 1 element.
  
  query string
  
  A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.
- remote_cluster array[object]
  Hide remote_cluster attributes Show remote_cluster attributes object
  
  clusters array[string] Required
  
  A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
  
  At least 1 element.
  
  privileges array[string] Required
  
  The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.
  
  At least 1 element.
- remote_indices array[object]
  Hide remote_indices attributes Show remote_indices attributes object
  
  allow_restricted_indices boolean
  
  Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.
  
  clusters array[string] Required
  
  A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
  
  At least 1 element.
  
  field_security object
  
  Hide field_security attribute Show field_security attribute object
  
  * array[string] Additional properties
  
  The document fields that the role members have read access to.
  
  names array[string] Required
  
  A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).
  
  At least 1 element.
  
  privileges array[string] Required
  
  The index level privileges that role members have for the specified indices.
  
  At least 1 element.
  
  query string
  
  A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.
- run_as array[string]
  
  A user name that the role member can impersonate.
kibana array[object]
Hide kibana attributes Show kibana attributes object
- base array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
- feature object
  Hide feature attribute Show feature attribute object
  
  * array[string] Additional properties
  
  The privileges that the role member has for the feature.
- spaces array[string]
  
  Any of:
  array-1 array[string] array-2 array[string]
  
  At least 1 but not more than 1 element. Value is *. Default value is ["*"].
metadata object

Additional properties are allowed.

Responses

204

Indicates a successful call.

PUT /api/security/role/{name}

curl \
 --request PUT 'https://<KIBANA_URL>/api/security/role/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "elasticsearch": {
    "cluster": [
      "string"
    ],
    "indices": [
      {
        "allow_restricted_indices": true,
        "field_security": {
          "additionalProperty1": [
            "string"
          ],
          "additionalProperty2": [
            "string"
          ]
        },
        "names": [
          "string"
        ],
        "privileges": [
          "string"
        ],
        "query": "string"
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "string"
        ],
        "privileges": [
          "string"
        ]
      }
    ],
    "remote_indices": [
      {
        "allow_restricted_indices": true,
        "clusters": [
          "string"
        ],
        "field_security": {
          "additionalProperty1": [
            "string"
          ],
          "additionalProperty2": [
            "string"
          ]
        },
        "names": [
          "string"
        ],
        "privileges": [
          "string"
        ],
        "query": "string"
      }
    ],
    "run_as": [
      "string"
    ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
        "additionalProperty1": [
          "string"
        ],
        "additionalProperty2": [
          "string"
        ]
      },
      "spaces": [
        "*"
      ]
    }
  ],
  "metadata": {}
}

Returns user privileges for the Kibana space

GET /api/detection_engine/privileges

Api key auth

Retrieves whether or not the user is authenticated, and the user's Kibana space and index privileges, which determine if the user can create an index for the Elastic Security alerts generated by detection engine rules.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- has_encryption_key boolean Required
- is_authenticated boolean Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/detection_engine/privileges

curl \
 --request GET 'https://<KIBANA_URL>/api/detection_engine/privileges' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "index": {
    ".alerts-security.alerts-default": {
      "all": true,
      "read": true,
      "index": true,
      "write": true,
      "create": true,
      "delete": true,
      "manage": true,
      "monitor": true,
      "create_doc": true,
      "maintenance": true,
      "create_index": true,
      "delete_index": true,
      "view_index_metadata": true
    }
  },
  "cluster": {
    "all": true,
    "manage": true,
    "monitor": true,
    "manage_ml": true,
    "monitor_ml": true,
    "manage_api_key": true,
    "manage_pipeline": true,
    "manage_security": true,
    "manage_transform": true,
    "monitor_transform": true,
    "manage_own_api_key": true,
    "manage_index_templates": true
  },
  "username": "elastic",
  "application": {},
  "is_authenticated": true,
  "has_all_requested": true,
  "has_encryption_key": true
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Retrieve a detection rule

GET /api/detection_engine/rules

Api key auth

Retrieve a detection rule using the rule_id or id field.

The URL query must include one of the following:

id - GET /api/detection_engine/rules?id=<id>
rule_id - GET /api/detection_engine/rules?rule_id=<rule_id>

The difference between the id and rule_id is that the id is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas rule_id is a stable rule identifier that can be assigned during rule creation.

Query parameters

id string(uuid)

The rule's id value.
rule_id string

The rule's rule_id value.

Responses

200 application/json

Indicates a successful call.

These fields are under development and their usage or schema may change: execution_summary.
Any of:
Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object
Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

language string Required

Query language to use

Value is eql.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is eql.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

event_category_override string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

tiebreaker_field string

Sets a secondary field for sorting events

timestamp_field string

Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.
Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

type string Required Discriminator

Rule type

Value is query.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

saved_id string

Kibana saved search used by the rule to create alerts.

language string Required

Values are kuery or lucene.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

saved_id string Required

Kibana saved search used by the rule to create alerts.

type string Required Discriminator

Rule type

Value is saved_query.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

query string

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

threshold object Required

Hide threshold attributes Show threshold attributes object

cardinality array[object]

The field on which the cardinality is applied.

Hide cardinality attributes Show cardinality attributes object

field string Required

The field on which to calculate and compare the cardinality.

value integer Required

The threshold value from which an alert is generated based on unique number of values of cardinality.field.

Minimum value is 0.

field string | array[string] Required

The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field.

One of:
string-1 string array-2 array[string]

value integer Required

The threshold value from which an alert is generated.

Minimum value is 1.

type string Required Discriminator

Rule type

Value is threshold.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attribute Show alert_suppression attribute object

duration object Required

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

saved_id string

Kibana saved search used by the rule to create alerts.

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

threat_index array[string] Required

Elasticsearch indices used to check which field values generate alerts.

threat_mapping array[object] Required

Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:

field: field from the event indices on which the rule runs

type: must be mapping

value: field from the Elasticsearch threat index

You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both and and or logic.

At least 1 element.

Hide threat_mapping attribute Show threat_mapping attribute object

entries array[object] Required

Hide entries attributes Show entries attributes object

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required

Value is mapping.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

threat_query string Required

Query used to determine which fields in the Elasticsearch index are used for generating alerts.

type string Required Discriminator

Rule type

Value is threat_match.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

concurrent_searches integer

Minimum value is 1.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

items_per_search integer

Minimum value is 1.

saved_id string

Kibana saved search used by the rule to create alerts.

threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values

threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)

threat_language string

Values are kuery or lucene.

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

anomaly_threshold integer Required

Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.

Minimum value is 0.

machine_learning_job_id string | array[string] Required

Machine learning job ID(s) the rule monitors for anomaly scores.

One of:
string-1 string array-2 array[string]

type string Required Discriminator

Rule type

Value is machine_learning.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.
Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

history_window_start string(nonempty) Required

Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.

Minimum length is 1.

new_terms_fields array[string] Required

Fields to monitor for new values.

At least 1 but not more than 3 elements.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is new_terms.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

One of:
Security_Detections_API_ExternalRuleSource object Security_Detections_API_InternalRuleSource object

Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

Hide attributes Show attributes

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

language string Required

Value is esql.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is esql.

GET /api/detection_engine/rules

curl \
  --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \
  --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Response examples (200)

{
  "id": "c41d170b-8ba6-4de6-b8ec-76440a35ace3",
  "to": "now-300s",
  "from": "now-4200s",
  "name": "MS Office child process",
  "tags": [
    "child process",
    "ms office"
  ],
  "type": "query",
  "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
  "setup": "",
  "threat": [
    {
      "tactic": {
        "id": "TA0001",
        "name": "Initial Access",
        "reference": "https://attack.mitre.org/tactics/TA0001"
      },
      "framework": "MITRE ATT&CK",
      "technique": [
        {
          "id": "T1193",
          "name": "Spearphishing Attachment",
          "reference": "https://attack.mitre.org/techniques/T1193"
        }
      ]
    }
  ],
  "enabled": false,
  "filters": [
    {
      "query": {
        "match": {
          "event.action": {
            "type": "phrase",
            "query": "Process Create (rule: ProcessCreate)"
          }
        }
      }
    }
  ],
  "rule_id": "process_started_by_ms_office_user_folder",
  "version": 1,
  "interval": "1h",
  "language": "kuery",
  "severity": "low",
  "immutable": false,
  "created_at": "2020-02-03T11:19:04.259Z",
  "created_by": "elastic",
  "references": [],
  "risk_score": 21,
  "updated_at": "2020-02-03T11:19:04.462Z",
  "updated_by": "elastic",
  "description": "Process started by MS Office program in user folder",
  "max_signals": 100,
  "false_positives": [],
  "required_fields": [
    {
      "ecs": true,
      "name": "process.name",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "process.parent.name",
      "type": "keyword"
    }
  ],
  "execution_summary": {
    "last_execution": {
      "date": "2022-03-23T16:06:12.787Z",
      "status": "partial failure",
      "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
      "metrics": {
        "execution_gap_duration_s": 0,
        "total_search_duration_ms": 135,
        "total_indexing_duration_ms": 15
      },
      "status_order": 20
    }
  },
  "related_integrations": [
    {
      "package": "o365",
      "version": "^2.3.2"
    }
  ]
}

POST /api/detection_engine/rules/_export

Api key auth

Export detection rules to an .ndjson file. The following configuration items are also included in the .ndjson file:

Actions
Exception lists

Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.

You can use Kibana’s Saved Objects UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before importing detection rules.

Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Manage value lists UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.

Query parameters

exclude_export_details boolean

Determines whether a summary of the exported rules is returned.

Default value is false.
file_name string

File name for saving the exported rules.

When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.

Default value is export.ndjson.

application/json

Body

objects array[object] Required

Array of rule_id fields. Exports all rules when unspecified.
Hide objects attribute Show objects attribute object
- rule_id string Required
  
  A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

Responses

200 application/ndjson

Indicates a successful call.

An .ndjson file containing the returned rules.

Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.

POST /api/detection_engine/rules/_export

curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
  "objects": [
    {
      "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
    },
    {
      "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
    }
  ]
}

Request examples

{
  "objects": [
    {
      "rule_id": "string"
    }
  ]
}

Response examples (200)

@file

params object

key object | string

value string | number Required

package_policies array[string] | array[object]

value string | number Required

value string | number Required

package_policies array[string] | array[object]

value string | number Required

package_policies array[string] | array[object]

type string Required

Body object

key object | string

key object | string

key object | string

key object | string Required

item object Required

key object | string

key object | string

key object | string

key object | string Required

Body object

inputs array[object] | object Required

vars object

inputs array[object] | object Required

vars object

base array | null | boolean | number | object | string Required

spaces array[string]

throttle string | null Required