Get single agent configuration

GET /api/apm/settings/agent-configuration/view
Api key auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • id string Required
    • @timestamp number Required

      Timestamp

    • agent_name string

      Agent name

    • applied_by_agent boolean

      Applied by agent

    • etag string Required

      etag is sent by the APM agent to indicate the etag of the last successfully applied configuration. If the etag matches an existing configuration its applied_by_agent property will be set to true. Every time a configuration is edited applied_by_agent is reset to false.

    • service object Required

      Service

      Hide service attributes Show service attributes object
    • settings object Required

      Agent configuration settings

      Hide settings attribute Show settings attribute object
      • * string Additional properties
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/view 
curl \
 --request GET 'https://<KIBANA_URL>/api/apm/settings/agent-configuration/view' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200) 
{
  "id": "string",
  "@timestamp": 1730194190636,
  "agent_name": "string",
  "applied_by_agent": true,
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Save APM server schema

POST /api/apm/fleet/apm_server_schema
Api key auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • schema object

    Schema object

    Additional properties are allowed.

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/fleet/apm_server_schema 
curl \
 --request POST 'https://<KIBANA_URL>/api/apm/fleet/apm_server_schema' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"schema":{"foo":"bar"}}'
Request examples 
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "schema": {
    "foo": "bar"
  }
}
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get CCR Remote synced integrations status

GET /api/fleet/remote_synced_integrations/status
Api key auth

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.

Responses

GET /api/fleet/remote_synced_integrations/status 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/remote_synced_integrations/status' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "custom_assets": {
    "additionalProperty1": {
      "name": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "type": "string"
    },
    "additionalProperty2": {
      "name": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "type": "string"
    }
  },
  "error": "string",
  "integrations": [
    {
      "error": "string",
      "id": "string",
      "package_name": "string",
      "package_version": "string",
      "sync_status": "completed",
      "updated_at": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get data streams

GET /api/fleet/epm/data_streams
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Query parameters

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attribute Show items attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/epm/data_streams 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/data_streams' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "name": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Preview a saved object reference swap

POST /api/data_views/swap_references/_preview
Api key auth

Preview the impact of swapping saved object references from one data view identifier to another.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • delete boolean

    Deletes referenced saved object if all references are removed.

  • forId string | array[string]

    Limit the affected saved objects to one or more by identifier.

    One of:
    string-1 string array-2 array[string]
  • forType string

    Limit the affected saved objects by type.

  • fromId string Required

    The saved object reference to change.

  • fromType string

    Specify the type of the saved object reference to alter. The default value is index-pattern for data views.

  • toId string Required

    New saved object reference value to replace the old value.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • result array[object]
      Hide result attributes Show result attributes object
      • id string

        A saved object identifier.

      • type string

        The saved object type.
POST /api/data_views/swap_references/_preview 
curl \
 --request POST 'https://<KIBANA_URL>/api/data_views/swap_references/_preview' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"toId":"xyz-123","fromId":"abcd-efg"}'
Request example 
{
  "toId": "xyz-123",
  "fromId": "abcd-efg"
}
Response examples (200) 
{
  "result": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}

Get agent uploads

GET /api/fleet/agents/{agentId}/uploads
Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Responses

GET /api/fleet/agents/{agentId}/uploads 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agents/{agentId}/uploads' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "actionId": "string",
      "createTime": "string",
      "error": "string",
      "filePath": "string",
      "id": "string",
      "name": "string",
      "status": "READY"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete Kibana assets for a package

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Responses

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"
Response examples (200) 
{
  "success": true
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Authorize transforms

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
Api key auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

application/json

Body

Responses

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"transforms":[{"transformId":"string"}]}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "transforms": [
    {
      "transformId": "string"
    }
  ]
}
Response examples (200) 
[
  {
    "success": true,
    "transformId": "string"
  }
]
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a limited package list

GET /api/fleet/epm/packages/limited
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Responses

GET /api/fleet/epm/packages/limited 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/packages/limited' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    "string"
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a proxy

GET /api/fleet/proxies/{itemId}
Api key auth

Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read.

Responses

GET /api/fleet/proxies/{itemId} 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/proxies/{itemId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get Fleet Server hosts

GET /api/fleet/fleet_server_hosts
Api key auth

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.

Responses

GET /api/fleet/fleet_server_hosts 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/fleet_server_hosts' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "host_urls": [
        "string"
      ],
      "id": "string",
      "is_default": false,
      "is_internal": true,
      "is_preconfigured": false,
      "name": "string",
      "proxy_id": "string",
      "secrets": {
        "ssl": {
          "es_key": {
            "id": "string"
          },
          "key": {
            "id": "string"
          }
        }
      },
      "ssl": {
        "certificate": "string",
        "certificate_authorities": [
          "string"
        ],
        "client_auth": "optional",
        "es_certificate": "string",
        "es_certificate_authorities": [
          "string"
        ],
        "es_key": "string",
        "key": "string"
      }
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a Knowledge Base Entry

POST /api/security_ai_assistant/knowledge_base/entries
Api key auth

Create a Knowledge Base Entry

application/json

Body object Required

Any of:
Security_AI_Assistant_API_DocumentEntryCreateFields object Security_AI_Assistant_API_IndexEntryCreateFields object
  • global boolean

    Whether this Knowledge Base Entry is global, defaults to false

  • name string Required

    Name of the Knowledge Base Entry

  • namespace string

    Kibana Space, defaults to 'default' space

  • users array[object]

    Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

    Could be any string, not necessarily a UUID

    Hide users attributes Show users attributes object
  • kbResource string Required

    Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

    Values are security_labs or user.

  • source string Required

    Source document name or filepath

  • text string Required

    Knowledge Base Entry content

  • type string Required Discriminator

    Entry type

    Value is document.

  • required boolean

    Whether this resource should always be included, defaults to false

  • vector object

    Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

    Hide vector attributes Show vector attributes object
    • modelId string Required

      ID of the model used to create the embeddings

    • tokens object Required

      Tokens with their corresponding values

      Hide tokens attribute Show tokens attribute object
      • * number Additional properties

Responses

  • 200 application/json

    Successful request returning Knowledge Base Entries

    Any of:
    Security_AI_Assistant_API_DocumentEntryResponseFields object Security_AI_Assistant_API_IndexEntryResponseFields object
    Hide attributes Show attributes
    • global boolean Required

      Whether this Knowledge Base Entry is global, defaults to false

    • name string Required

      Name of the Knowledge Base Entry

    • namespace string Required

      Kibana Space, defaults to 'default' space

    • users array[object] Required

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
    • createdAt string Required

      Time the Knowledge Base Entry was created

    • createdBy string Required

      User who created the Knowledge Base Entry

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updatedAt string Required

      Time the Knowledge Base Entry was last updated

    • updatedBy string Required

      User who last updated the Knowledge Base Entry

    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

      Values are security_labs or user.

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
POST /api/security_ai_assistant/knowledge_base/entries 
curl \
 --request POST 'https://<KIBANA_URL>/api/security_ai_assistant/knowledge_base/entries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"global":true,"name":"string","namespace":"string","users":[{"id":"string","name":"string"}],"kbResource":"security_labs","source":"string","text":"string","type":"document","required":true,"vector":{"modelId":"string","tokens":{"additionalProperty1":42.0,"additionalProperty2":42.0}}}'
Request examples 
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (200) 
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Add and remove detection alert tags

POST /api/detection_engine/signals/tags
Api key auth

And tags to detection alerts, and remove them from alerts.

You cannot add and remove the same alert tag in the same request.

application/json

Body Required

An object containing tags to add or remove and alert ids the changes will be applied

  • ids array[string(nonempty)] Required

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • tags object Required

    Object with list of tags to add and remove.

    Hide tags attributes Show tags attributes object
    • tags_to_add array[string(nonempty)] Required

      List of keywords to organize related alerts into categories that you can filter and group.

      Minimum length of each is 1.

    • tags_to_remove array[string(nonempty)] Required

      List of keywords to organize related alerts into categories that you can filter and group.

      Minimum length of each is 1.

Responses

POST /api/detection_engine/signals/tags 
curl \
 --request POST 'https://<KIBANA_URL>/api/detection_engine/signals/tags' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"ids":["549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"],"tags":{"tags_to_add":["Duplicate"],"tags_to_remove":[]}}'
Request examples 
{
  "ids": [
    "549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"
  ],
  "tags": {
    "tags_to_add": [
      "Duplicate"
    ],
    "tags_to_remove": []
  }
}
{
  "ids": [
    "549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"
  ],
  "tags": {
    "tags_to_add": [],
    "tags_to_remove": [
      "Duplicate"
    ]
  }
}
Response examples (200) 
{
  "took": "68,",
  "noops": "0,",
  "total": "1,",
  "batches": "1,",
  "deleted": "0,",
  "retries": {
    "bulk": "0,",
    "search": 0
  },
  "updated": "1,",
  "failures": [],
  "timed_out": "false,",
  "throttled_millis": "0,",
  "version_conflicts": "0,",
  "requests_per_second": "-1,",
  "throttled_until_millis": "0,"
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500) 
{
  "message": "string",
  "status_code": 42
}

Run a script

POST /api/endpoint/action/runscript
Api key auth

Run a shell command on an endpoint.

application/json

Body Required

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/runscript 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/runscript' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"parameters":{"commandLine":"string","raw":"string","timeout":42}}'
Request examples 
{
  "parameters": {
    "commandLine": "string",
    "raw": "string",
    "timeout": 42
  }
}
Response examples (200) 
{}

Get a metadata list

GET /api/endpoint/metadata
Api key auth

Query parameters

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • pageSize integer

    Number of items per page

    Minimum value is 1, maximum value is 100. Default value is 10.

  • kuery string

    A KQL string.

  • hostStatuses array[string] Required

    A set of agent health statuses to filter by.

    Values are healthy, offline, updating, inactive, or unenrolled.

  • sortField string

    Determines which field is used to sort the results.

    Values are enrolled_at, metadata.host.hostname, host_status, metadata.Endpoint.policy.applied.name, metadata.Endpoint.policy.applied.status, metadata.host.os.name, metadata.host.ip, metadata.agent.version, or last_checkin.

  • sortDirection string

    Determines the sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    OK
GET /api/endpoint/metadata 
curl \
 --request GET 'https://<KIBANA_URL>/api/endpoint/metadata?hostStatuses=healthy&hostStatuses=updating' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "metadata": {
        "ecs": {
          "version": "1.11.0"
        },
        "host": {
          "id": "0cfead88e2024bd8a27476352b5ab264",
          "ip": [
            "127.0.0.1",
            "::1",
            "10.0.2.15",
            "fe80::2ac7:8e15:b957:2fa1"
          ],
          "os": {
            "Ext": {
              "variant": "Ubuntu"
            },
            "full": "Ubuntu 20.04.2",
            "name": "Linux",
            "type": "linux",
            "family": "ubuntu",
            "kernel": "5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021",
            "version": "20.04.2",
            "platform": "ubuntu"
          },
          "mac": [
            "08:00:27:e6:78:8b"
          ],
          "name": "david-Xubuntu",
          "hostname": "david-Xubuntu",
          "architecture": "x86_64"
        },
        "agent": {
          "id": "285297c6-3bff-4b83-9a07-f3e749801123",
          "type": "endpoint",
          "build": {
            "original": "version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"
          },
          "version": "7.16.0"
        },
        "event": {
          "id": "MNtSXK/SkhEBnmgt++++++7S",
          "kind": "metric",
          "type": [
            "info"
          ],
          "action": "endpoint_metadata",
          "module": "endpoint",
          "created": "2023-07-04T15:47:57.432173535Z",
          "dataset": "endpoint.metadata",
          "category": [
            "host"
          ],
          "ingested": "2023-07-04T15:47:58Z",
          "sequence": 400,
          "agent_id_status": "verified"
        },
        "elastic": {
          "agent": {
            "id": "285297c6-3bff-4b83-9a07-f3e749801123"
          }
        },
        "message": "Endpoint metadata",
        "Endpoint": {
          "state": {
            "isolation": false
          },
          "policy": {
            "applied": {
              "id": "d5371dcd-93b7-4627-af88-4084f7d6aa3e",
              "name": "test",
              "status": "success",
              "version": "3",
              "endpoint_policy_version": "2"
            }
          },
          "status": "enrolled",
          "capabilities": [
            "isolation"
          ],
          "configuration": {
            "isolation": false
          }
        },
        "@timestamp": "2023-07-04T15:47:57.432173535Z",
        "data_stream": {
          "type": "metrics",
          "dataset": "endpoint.metadata",
          "namespace": "default"
        }
      },
      "host_status": "healthy",
      "policy_info": {
        "agent": {
          "applied": {
            "id": "ed7e3720-4bad-11ec-a2a8-fb22e62a5753",
            "revision": 0
          },
          "configured": {
            "id": "ed7e3720-4bad-11ec-a2a8-fb22e62a5753",
            "revision": 3
          }
        },
        "endpoint": {
          "id": "d5371dcd-93b7-4627-af88-4084f7d6aa3e",
          "revision": 2
        }
      },
      "last_checkin": "2023-07-04T15:47:57.432Z"
    },
    {
      "metadata": {
        "ecs": {
          "version": "1.11.0"
        },
        "host": {
          "id": "17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5",
          "ip": [
            "10.0.2.15",
            "fe80::21a6:63d3:d70e:e3ad",
            "127.0.0.1",
            "::1"
          ],
          "os": {
            "Ext": {
              "variant": "Windows 10 Enterprise Evaluation"
            },
            "full": "Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906)",
            "name": "Windows",
            "type": "windows",
            "family": "windows",
            "kernel": "20H2 (10.0.19042.906)",
            "version": "20H2 (10.0.19042.906)",
            "platform": "windows"
          },
          "mac": [
            "08:00:27:b1:1d:5a"
          ],
          "name": "WinDev2104Eval",
          "hostname": "WinDev2104Eval",
          "architecture": "x86_64"
        },
        "agent": {
          "id": "abb8a826-6812-448c-a571-6d8269b51449",
          "type": "endpoint",
          "build": {
            "original": "version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"
          },
          "version": "7.16.0"
        },
        "event": {
          "id": "MNtRc++KoKHXXwlj+++++/N9",
          "kind": "metric",
          "type": [
            "info"
          ],
          "action": "endpoint_metadata",
          "module": "endpoint",
          "created": "2023-07-04T15:44:31.4917849Z",
          "dataset": "endpoint.metadata",
          "category": [
            "host"
          ],
          "ingested": "2023-07-04T15:44:33Z",
          "sequence": 5159,
          "agent_id_status": "verified"
        },
        "elastic": {
          "agent": {
            "id": "abb8a826-6812-448c-a571-6d8269b51449"
          }
        },
        "message": "Endpoint metadata",
        "Endpoint": {
          "state": {
            "isolation": false
          },
          "policy": {
            "applied": {
              "id": "d5371dcd-93b7-4627-af88-4084f7d6aa3e",
              "name": "test",
              "status": "success",
              "version": "3",
              "endpoint_policy_version": "2"
            }
          },
          "status": "enrolled",
          "capabilities": [
            "isolation"
          ],
          "configuration": {
            "isolation": false
          }
        },
        "@timestamp": "2023-07-04T15:44:31.4917849Z",
        "data_stream": {
          "type": "metrics",
          "dataset": "endpoint.metadata",
          "namespace": "default"
        }
      },
      "host_status": "healthy",
      "policy_info": {
        "agent": {
          "applied": {
            "id": "ed7e3720-4bad-11ec-a2a8-fb22e62a5753",
            "revision": 0
          },
          "configured": {
            "id": "ed7e3720-4bad-11ec-a2a8-fb22e62a5753",
            "revision": 3
          }
        },
        "endpoint": {
          "id": "d5371dcd-93b7-4627-af88-4084f7d6aa3e",
          "revision": 2
        }
      },
      "last_checkin": "2023-07-04T15:44:31.491Z"
    }
  ],
  "page": 0,
  "total": 2,
  "pageSize": 10,
  "sortField": "enrolled_at",
  "sortDirection": "desc"
}

Security exceptions

Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.

Exceptions are made up of:

  • Exception containers: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.
  • Exception items: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to true, the rule does not generate an alert.

For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.

You cannot use lists with endpoint rule exceptions.


Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.

Exceptions requirements

Before you can start working with exceptions that use value lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to Enable and access detections.

Get pack details

GET /api/osquery/packs/{id}
Api key auth

Get the details of a query pack using the pack ID.

Path parameters

  • id string | null Required

    The ID of the pack you want to run, retrieve, update, or delete.

Responses

  • 200 application/json

    OK
GET /api/osquery/packs/{id} 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": {
    "id": "3c42c847-eb30-4452-80e0-728584042334",
    "name": "test_pack",
    "type": "osquery-pack",
    "enabled": true,
    "queries": {
      "uptime": {
        "query": "select * from uptime",
        "interval": 3600,
        "ecs_mapping": {
          "message": {
            "field": "days"
          }
        }
      }
    },
    "read_only": false,
    "created_at": "2022-07-25T19:41:10.263Z",
    "created_by": "elastic",
    "namespaces": [
      "default"
    ],
    "policy_ids": [],
    "updated_at": "2022-07-25T20:12:01.455Z",
    "updated_by": "elastic",
    "description": ""
  }
}

Update a saved query

PUT /api/osquery/saved_queries/{id}
Api key auth

Update a saved query using the query ID.

You cannot update a prebuilt saved query.

Path parameters

  • id string | null Required

    The ID of a saved query.

application/json

Body Required

  • description string | null

    The saved query description.

  • ecs_mapping object | null

    Map osquery results columns or static values to Elastic Common Schema (ECS) fields

    Hide ecs_mapping attribute Show ecs_mapping attribute object | null
  • id string | null

    The ID of a saved query.

  • interval string

    An interval, in seconds, on which to run the query.

  • platform string | null

    Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

  • query string

    The SQL query you want to run.

  • removed boolean | null

    Indicates whether the query is removed.

  • snapshot boolean | null

    Indicates whether the query is a snapshot.

  • version string | null

    Uses the Osquery versions greater than or equal to the specified version string.

Responses

  • 200 application/json

    OK
PUT /api/osquery/saved_queries/{id} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/osquery/saved_queries/3c42c847-eb30-4452-80e0-728584042334' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id":"updated_my_saved_query_name"}'
Request example 
{
  "id": "updated_my_saved_query_name"
}
Response examples (200) 
{
  "data": {}
}

Pin/unpin an event

PATCH /api/pinned_event
Api key auth

Pin/unpin an event to/from an existing Timeline.

application/json

Body Required

The pinned event to add or unpin, along with additional metadata.

  • eventId string Required

    The _id of the associated event for this pinned event.

  • pinnedEventId string | null

    The savedObjectId of the pinned event you want to unpin.

  • timelineId string Required

    The savedObjectId of the timeline that you want this pinned event unpinned from.

Responses

  • 200 application/json

    Indicates the event was successfully pinned to or unpinned from the Timeline.

    One of:
    Security_Timeline_API_PinnedEvent object object-2 object
    Hide attributes Show attributes
    • created number | null

      The time the pinned event was created, using a 13-digit Epoch timestamp.

    • createdBy string | null

      The user who created the pinned event.

    • updated number | null

      The last time the pinned event was updated, using a 13-digit Epoch timestamp

    • updatedBy string | null

      The user who last updated the pinned event

    • eventId string Required

      The _id of the associated event for this pinned event.

    • timelineId string Required

      The savedObjectId of the timeline that this pinned event is associated with

    • pinnedEventId string Required

      The savedObjectId of this pinned event

    • version string Required

      The version of this pinned event
PATCH /api/pinned_event 
curl \
 --request PATCH 'https://<KIBANA_URL>/api/pinned_event' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","pinnedEventId":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}'
Request examples 
{
  "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
  "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
  "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e"
}
Response examples (200) 
{
  "created": 1587468588922,
  "createdBy": "casetester",
  "updated": 1741344876825,
  "updatedBy": "casetester",
  "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
  "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
  "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
  "version": "WzQ2LDFe"
}
{
  "unpinned": true
}

Reset an SLO

POST /s/{spaceId}/api/observability/slos/{sloId}/_reset
Api key auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • spaceId string Required

    An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.

  • sloId string Required

    An identifier for the slo.

Responses

  • 200 application/json

    Successful request

    Hide response attributes Show response attributes object
    • budgetingMethod string Required

      The budgeting method to use when computing the rollup data.

      Values are occurrences or timeslices.

    • createdAt string Required

      The creation date

    • description string Required

      The description of the SLO.

    • enabled boolean Required

      Indicate if the SLO is enabled

    • groupBy string | array[string] Required

      optional group by field or fields to use to generate an SLO per distinct value

      One of:
      string-1 string array-2 array[string]
    • id string Required

      The identifier of the SLO.

    • indicator object Required

      One of:
      SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object

      Defines properties for a custom query indicator type

      Hide attributes Show attributes
    • name string Required

      The name of the SLO.

    • objective object Required

      Defines properties for the SLO objective

      Hide objective attributes Show objective attributes object
      • target number Required

        the target objective between 0 and 1 excluded

        Minimum value is 0, maximum value is 100.

      • timesliceTarget number

        the target objective for each slice when using a timeslices budgeting method

        Minimum value is 0, maximum value is 100.

      • timesliceWindow string

        the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}

    • revision number Required

      The SLO revision

    • settings object Required

      Defines properties for SLO settings.

      Hide settings attributes Show settings attributes object
      • frequency string

        The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.

        Default value is 1m.

      • preventInitialBackfill boolean

        Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.

        Default value is false.

      • syncDelay string

        The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.

        Default value is 1m.

      • syncField string

        The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.

    • tags array[string] Required

      List of tags

    • timeWindow object Required

      Defines properties for the SLO time window

      Hide timeWindow attributes Show timeWindow attributes object
      • duration string Required

        the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)

      • type string Required

        Indicates weither the time window is a rolling or a calendar aligned time window.

        Values are rolling or calendarAligned.

    • updatedAt string Required

      The last update date

    • version number Required

      The internal SLO version
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /s/{spaceId}/api/observability/slos/{sloId}/_reset 
curl \
 --request POST 'https://<KIBANA_URL>/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414/_reset' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"
Response examples (200) 
{
  "budgetingMethod": "occurrences",
  "createdAt": "2023-01-12T10:03:19.000Z",
  "description": "My SLO description",
  "enabled": true,
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "id": "8853df00-ae2e-11ed-90af-09bb6422b258",
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "name": "My Service SLO",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "revision": 2,
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m",
    "syncField": "event.ingested"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  },
  "updatedAt": "2023-01-12T10:03:19.000Z",
  "version": 2
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}

Enable an SLO

POST /s/{spaceId}/api/observability/slos/{sloId}/enable
Api key auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • spaceId string Required

    An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.

  • sloId string Required

    An identifier for the slo.

Responses

  • 204

    Successful request

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /s/{spaceId}/api/observability/slos/{sloId}/enable 
curl \
 --request POST 'https://<KIBANA_URL>/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414/enable' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}

Get all spaces

GET /api/spaces/space
Api key auth

Query parameters

  • purpose string

    Specifies which authorization checks are applied to the API call. The default value is any.

    Values are any, copySavedObjectsIntoSpace, or shareSavedObjectsIntoSpace.

  • include_authorized_purposes array | boolean | number | object | string Required

    When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the purpose parameter.

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/spaces/space 
curl \
 --request GET 'https://<KIBANA_URL>/api/spaces/space?' \
 --header "Authorization: $API_KEY"
Response examples (200)
Get all spaces without specifying any options. 
[
  {
    "id": "default",
    "name": "Default",
    "imageUrl": "",
    "_reserved": true,
    "description": "This is the Default Space",
    "disabledFeatures": []
  },
  {
    "id": "marketing",
    "name": "Marketing",
    "color": null,
    "imageUrl": "data:image/png;base64,iVBORw0KGgoAAAANSU",
    "initials": "MK",
    "description": "This is the Marketing Space",
    "disabledFeatures": [
      "apm"
    ]
  },
  {
    "id": "sales",
    "name": "Sales",
    "imageUr\"": "",
    "initials": "MK",
    "solution": "oblt",
    "disabledFeatures": [
      "discover"
    ]
  }
]
The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" 
[
  {
    "id": "default",
    "name": "Default",
    "imageUrl": "",
    "_reserved": true,
    "description": "This is the Default Space",
    "disabledFeatures": [],
    "authorizedPurposes": {
      "any": true,
      "findSavedObjects": true,
      "copySavedObjectsIntoSpace": true,
      "shareSavedObjectsIntoSpace": true
    }
  },
  {
    "id": "marketing",
    "name": "Marketing",
    "color": null,
    "imageUrl": "data:image/png;base64,iVBORw0KGgoAAAANSU",
    "initials": "MK",
    "description": "This is the Marketing Space",
    "disabledFeatures": [
      "apm"
    ],
    "authorizedPurposes": {
      "any": true,
      "findSavedObjects": true,
      "copySavedObjectsIntoSpace": true,
      "shareSavedObjectsIntoSpace": true
    }
  },
  {
    "id": "sales",
    "name": "Sales",
    "imageUrl": "",
    "initials": "MK",
    "disabledFeatures": [
      "discover"
    ],
    "authorizedPurposes": {
      "any": true,
      "findSavedObjects": true,
      "copySavedObjectsIntoSpace": false,
      "shareSavedObjectsIntoSpace": false
    }
  }
]

Update a space

PUT /api/spaces/space/{id}
Api key auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The space identifier. You are unable to change the ID with the update operation.

application/json

Body

  • _reserved boolean
  • color string

    The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.

  • description string

    A description for the space.

  • disabledFeatures array[string]

    The list of features that are turned off in the space.

    Default value is [] (empty).

  • id string Required

    The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.

  • imageUrl string

    The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.

  • initials string

    One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.

    Maximum length is 2.

  • name string Required

    The display name for the space.

    Minimum length is 1.

Responses

  • 200

    Indicates a successful call.

PUT /api/spaces/space/{id} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/spaces/space/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"id":"marketing","name":"Marketing","color":null,"imageUrl":"","initials":"MK","description":"This is the Marketing Space","disabledFeatures":[]}'
Request example
Update the marketing space to remove the imageUrl. 
{
  "id": "marketing",
  "name": "Marketing",
  "color": null,
  "imageUrl": "",
  "initials": "MK",
  "description": "This is the Marketing Space",
  "disabledFeatures": []
}

Bulk update dashboards Technical Preview

POST /api/streams/{name}/dashboards/_bulk
Api key auth

Bulk update dashboards linked to a stream. Can link new dashboards and delete existing ones.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

  • operations array[object] Required
    Any of:
    object-1 object object-2 object
    Hide attribute Show attribute
    • index object Required

      Additional properties are NOT allowed.

      Hide index attribute Show index attribute object
      • id string Required
POST /api/streams/{name}/dashboards/_bulk 
curl \
 --request POST 'https://<KIBANA_URL>/api/streams/{name}/dashboards/_bulk' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"operations":[{"index":{"id":"string"}}]}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "operations": [
    {
      "index": {
        "id": "string"
      }
    }
  ]
}

Get stream queries Technical Preview

GET /api/streams/{name}/queries
Api key auth

Fetches all queries linked to a stream that are visible to the current user in the current space.

application/json

Body

object object

Additional properties are NOT allowed.
GET /api/streams/{name}/queries 
curl \
 --request GET 'https://<KIBANA_URL>/api/streams/{name}/queries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"
Request examples 
{}

Remove a query from a stream Technical Preview

DELETE /api/streams/{name}/queries/{queryId}
Api key auth

Remove a query from a stream. Noop if the query is not found on the stream.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

object object

Additional properties are NOT allowed.
DELETE /api/streams/{name}/queries/{queryId} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/streams/{name}/queries/{queryId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true"
Request examples 
# Headers
kbn-xsrf: true

# Payload
{}