Get information about rules

GET /api/alerting/rules/_find
Api key auth

Query parameters

  • per_page number

    The number of rules to return per page.

    Minimum value is 0. Default value is 10.

  • page number

    The page number to return.

    Minimum value is 1. Default value is 1.

  • default_search_operator string

    The default operator to use for the simple_query_string.

    Values are OR or AND. Default value is OR.

  • search_fields array[string] | string

    The fields to perform the simple_query_string parsed query against.

  • sort_field string

    Determines which field is used to sort the results. The field must exist in the attributes key of the response.

  • sort_order string

    Determines the sort order.

    Values are asc or desc.

  • has_reference object | null

    Filters the rules that have a relation with the reference objects with a specific type and identifier.

    Additional properties are NOT allowed.

    Hide has_reference attributes Show has_reference attributes object | null
  • fields array[string]

    The fields to return in the attributes key of the response.

  • filter string

    A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.

  • filter_consumers array[string]

    List of consumers to filter.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object

      Additional properties are allowed.

    • monitoring object

      Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • total_alerts_created number | null

              Total number of alerts created during last rule run.

            • total_alerts_detected number | null

              Total number of alerts detected during last rule run.

            • total_indexing_duration_ms number | null

              Total time spent indexing documents during last rule run in milliseconds.

            • total_search_duration_ms number | null

              Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • view_in_app_relative_url string | null

      Relative URL to view rule in the app.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

GET /api/alerting/rules/_find 
curl \
 --request GET 'https://<KIBANA_URL>/api/alerting/rules/_find' \
 --header "Authorization: $API_KEY"
Response examples (200)
A response that contains information about an index threshold rule. 
{
  "data": [
    {
      "id": "3583a470-74f6-11ed-9801-35303b735aef",
      "name": "my alert",
      "tags": [
        "cpu"
      ],
      "params": {
        "index": [
          "test-index"
        ],
        "aggType": "avg",
        "groupBy": "top",
        "aggField": "sheet.version",
        "termSize": 6,
        "termField": "name.keyword",
        "threshold": [
          1000
        ],
        "timeField": "@timestamp",
        "timeWindowSize": 5,
        "timeWindowUnit": "m",
        "thresholdComparator": ">"
      },
      "actions": [
        {
          "id": "9dca3e00-74f5-11ed-9801-35303b735aef",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "threshold met",
          "params": {
            "level": "info",
            "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
            "connector_type_id": ".server-log"
          },
          "frequency": {
            "summary": false,
            "throttle": null,
            "notify_when": "onActionGroupChange"
          }
        }
      ],
      "enabled": true,
      "consumer": "alerts",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": null,
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        }
      },
      "mute_all": false,
      "next_run": "2022-12-06T01:45:23.912Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2022-12-05T23:40:33.132Z",
      "created_by": "elastic",
      "updated_at": "2022-12-05T23:40:33.132Z",
      "updated_by": "elastic",
      "rule_type_id": ".index-threshold",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 48,
        "last_execution_date": "2022-12-06T01:44:23.983Z"
      },
      "scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}
A response that contains information about a security rule that has conditional actions. 
{
  "data": [
    {
      "id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "name": "security_rule",
      "tags": [],
      "params": {
        "to": "now",
        "from": "now-3660s",
        "meta": {
          "from": "1h",
          "kibana_siem_app_url": "https://localhost:5601/app/security"
        },
        "type": "threshold",
        "index": [
          "kibana_sample_data_logs"
        ],
        "query": "*",
        "author": [],
        "ruleId": "an_internal_rule_id",
        "threat": [],
        "filters": [],
        "license": "",
        "version": 1,
        "language": "kuery",
        "severity": "low",
        "immutable": false,
        "riskScore": 21,
        "threshold": {
          "field": [
            "bytes"
          ],
          "value": 1,
          "cardinality": []
        },
        "maxSignals": 100,
        "references": [],
        "description": "A security threshold rule.",
        "outputIndex": "",
        "exceptionsList": [],
        "falsePositives": [],
        "severityMapping": [],
        "riskScoreMapping": []
      },
      "actions": [
        {
          "id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "default",
          "params": {
            "documents": [
              {
                "rule_id": {
                  "[object Object]": null
                },
                "alert_id": {
                  "[object Object]": null
                },
                "rule_name": {
                  "[object Object]": null
                },
                "context_message": {
                  "[object Object]": null
                }
              }
            ]
          },
          "frequency": {
            "summary": true,
            "throttle": null,
            "notify_when": "onActiveAlert"
          },
          "alerts_filter": {
            "query": {
              "kql": "",
              "filters": [
                {
                  "meta": {
                    "key": "client.geo.region_iso_code",
                    "alias": null,
                    "field": "client.geo.region_iso_code",
                    "index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
                    "negate": false,
                    "params": {
                      "type": "phrase",
                      "query": "CA-QC"
                    },
                    "disabled": false
                  },
                  "query": {
                    "match_phrase": {
                      "client.geo.region_iso_code": "CA-QC"
                    }
                  },
                  "$state": {
                    "store": "appState"
                  }
                }
              ]
            },
            "timeframe": {
              "days": [
                7
              ],
              "hours": {
                "end": "17:00",
                "start": "08:00"
              },
              "timezone": "UTC"
            }
          },
          "connector_type_id": ".index"
        }
      ],
      "enabled": true,
      "running": false,
      "consumer": "siem",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": [
          "Rule execution completed successfully"
        ],
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        },
        "outcome_order": 0
      },
      "mute_all": false,
      "next_run": "2023-05-16T20:27:49.507Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2023-05-16T15:50:28.358Z",
      "created_by": "elastic",
      "updated_at": "2023-05-16T20:25:42.559Z",
      "updated_by": "elastic",
      "notify_when": null,
      "rule_type_id": "siem.thresholdRule",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 166,
        "last_execution_date": "2023-05-16T20:26:49.590Z"
      },
      "scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

Delete source map

DELETE /api/apm/sourcemaps/{id}
Api key auth

Delete a previously uploaded source map. You must have all Kibana privileges for the APM and User Experience feature.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    Source map identifier

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
  • 501 application/json

    Not Implemented response

    Hide response attributes Show response attributes object
DELETE /api/apm/sourcemaps/{id} 
curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}'
Response examples (200) 
{}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501) 
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Run a connector

POST /api/actions/connector/{id}/_execute
Api key auth

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json

Body

  • params object Required

    One of:
    run_acknowledge_resolve_pagerduty object run_documents object run_message_email object run_message_serverlog object run_message_slack object run_trigger_pagerduty object run_addevent object run_closealert object run_closeincident object run_createalert object run_fieldsbyissuetype object run_getchoices object run_getfields object run_getincident object run_issue object run_issues object run_issuetypes object run_postmessage object run_pushtoservice object run_validchannelid object

    Test an action that acknowledges or resolves a PagerDuty alert.

    Hide attributes Show attributes
    • dedupKey string Required

      The deduplication key for the PagerDuty alert.

      Maximum length is 255.

    • eventAction string Required

      The type of event.

      Values are acknowledge or resolve.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • is_missing_secrets boolean

      Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.
POST /api/actions/connector/{id}/_execute 
curl \
 --request POST 'https://<KIBANA_URL>/api/actions/connector/{id}/_execute' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}'
Request examples 
{
  "params": {
    "documents": [
      {
        "id": "my_doc_id",
        "name": "my_doc_name",
        "message": "hello, world"
      }
    ]
  }
}
{
  "params": {
    "subAction": "issueTypes"
  }
}
{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [
        "severity",
        "urgency"
      ]
    }
  }
}
{
  "params": {
    "subAction": "postMessage",
    "subActionParams": {
      "text": "A test message.",
      "channelIds": [
        "C123ABC456"
      ]
    }
  }
}
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "comments": [
        {
          "comment": "A comment about the incident.",
          "commentId": 1
        }
      ],
      "incident": {
        "caseId": "1000",
        "caseName": "Case name",
        "description": "Description of the incident."
      }
    }
  }
}
Response examples (200) 
{
  "data": {
    "took": 135,
    "items": [
      {
        "create": {
          "_id": "4JtvwYUBrcyxt2NnfW3y",
          "_index": "my-index",
          "result": "created",
          "status": 201,
          "_seq_no": 0,
          "_shards": {
            "total": 2,
            "failed": 0,
            "successful": 1
          },
          "_version": 1,
          "_primary_term": 1
        }
      }
    ],
    "errors": false
  },
  "status": "ok",
  "connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}
{
  "data": [
    {
      "id": 10024,
      "name": "Improvement"
    },
    {
      "id": 10006,
      "name": "Task"
    },
    {
      "id": 10007,
      "name": "Sub-task"
    },
    {
      "id": 10025,
      "name": "New Feature"
    },
    {
      "id": 10023,
      "name": "Bug"
    },
    {
      "id": 10000,
      "name": "Epic"
    }
  ],
  "status": "ok",
  "connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}
{
  "status": "ok",
  "connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}
{
  "data": [
    {
      "label": "Critical",
      "value": 1,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Major",
      "value": 2,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Minor",
      "value": 3,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Warning",
      "value": 4,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "OK",
      "value": 5,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Clear",
      "value": 0,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "1 - High",
      "value": 1,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "2 - Medium",
      "value": 2,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "3 - Low",
      "value": 3,
      "element": "urgency",
      "dependent_value": ""
    }
  ],
  "status": "ok",
  "connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}
{
  "data": {
    "ok": true,
    "ts": "1234567890.123456",
    "channel": "C123ABC456",
    "message": {
      "ts": "1234567890.123456",
      "team": "T01ABCDE2F",
      "text": "A test message",
      "type": "message",
      "user": "U12A345BC6D",
      "app_id": "A01BC2D34EF",
      "blocks": [
        {
          "type": "rich_text",
          "block_id": "/NXe",
          "elements": [
            {
              "type": "rich_text_section",
              "elements": [
                {
                  "text": "A test message.",
                  "type": "text"
                }
              ]
            }
          ]
        }
      ],
      "bot_id": "B12BCDEFGHI",
      "bot_profile": {
        "id": "B12BCDEFGHI",
        "name": "test",
        "icons": {
          "image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
        },
        "app_id": "A01BC2D34EF",
        "deleted": false,
        "team_id": "T01ABCDE2F",
        "updated": 1672169705
      }
    }
  },
  "status": "ok",
  "connector_id": ".slack_api"
}
{
  "data": {
    "id": "aKPmBHWzmdRQtx6Mx",
    "url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
    "title": "TEST-457",
    "comments": [
      {
        "commentId": 1,
        "pushedDate": "2022-09-08T16:52:27.865Z"
      }
    ],
    "pushedDate": "2022-09-08T16:52:27.866Z"
  },
  "status": "ok",
  "connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}

Get an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}
Api key auth

Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.

Query parameters

  • format string

    Values are simplified or legacy.

Responses

GET /api/fleet/agent_policies/{agentPolicyId} 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agent_policies/{agentPolicyId}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Elastic Agents

Get available agent versions

GET /api/fleet/agents/available_versions
Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Responses

GET /api/fleet/agents/available_versions 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agents/available_versions' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    "string"
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agent setup info

GET /api/fleet/agents/setup
Api key auth

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.

Responses

GET /api/fleet/agents/setup 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agents/setup' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "is_secrets_storage_enabled": true,
  "is_space_awareness_enabled": true,
  "isReady": true,
  "missing_optional_features": [
    "encrypted_saved_object_encryption_key_required"
  ],
  "missing_requirements": [
    "security_required"
  ],
  "package_verification_key_id": "string"
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Install a package from the registry

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}
Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

application/json

Body

Responses

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion} 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":false,"ignore_constraints":false}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "force": false,
  "ignore_constraints": false
}
Response examples (200) 
{
  "_meta": {
    "install_source": "string"
  },
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get enrollment API keys

GET /api/fleet/enrollment_api_keys
Api key auth

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.

Query parameters

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • policy_id string

        The ID of the agent policy the Elastic Agent will be enrolled in.

    • list array[object] Required Deprecated
      Hide list attributes Show list attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • policy_id string

        The ID of the agent policy the Elastic Agent will be enrolled in.

    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/enrollment_api_keys' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "items": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "list": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Fleet outputs

Fleet package policies

Update a proxy

PUT /api/fleet/proxies/{itemId}
Api key auth

Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/proxies/{itemId} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/fleet/proxies/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","name":"string","proxy_headers":{},"url":"string"}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "certificate": "string",
  "certificate_authorities": "string",
  "certificate_key": "string",
  "name": "string",
  "proxy_headers": {},
  "url": "string"
}
Response examples (200) 
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400) 
{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Fleet uninstall tokens

Delete a conversation

DELETE /api/security_ai_assistant/current_user/conversations/{id}
Api key auth

Delete an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • apiConfig object

      LLM API configuration.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The time conversation was created.

    • excludeFromLastConversationStorage boolean

      excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • messages array[object]

      The conversation messages.

      AI assistant conversation message.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • traceData object

        trace Data

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • transactionId string

          Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • replacements object

      Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object
      Hide summary attributes Show summary attributes object
      • confidence string

        How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • updatedAt string

      The last time conversation was updated.

    • users array[object] Required

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
DELETE /api/security_ai_assistant/current_user/conversations/{id} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/security_ai_assistant/current_user/conversations/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "createdAt": "string",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "namespace": "string",
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "timestamp": "string",
  "title": "string",
  "updatedAt": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Isolate an endpoint

POST /api/endpoint/action/isolate
Api key auth

Isolate an endpoint from the network. The endpoint remains isolated until it's released.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/isolate 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/isolate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Locked down, pending further investigation","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}'
Request examples 
{
  "comment": "Locked down, pending further investigation",
  "endpoint_ids": [
    "9972d10e-4b9e-41aa-a534-a85e2a28ea42",
    "bc0e4f0c-3bca-4633-9fee-156c0b505d16",
    "fa89271b-b9d4-43f2-a684-307cffddeb5a"
  ]
}
{
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
{
  "comment": "Isolating as initial response",
  "case_ids": [
    "4976be38-c134-4554-bd5e-0fd89ce63667"
  ],
  "endpoint_ids": [
    "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0",
    "b30a11bf-1395-4707-b508-fbb45ef9793e"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "suspend-process",
    "comment": "suspend the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  },
  "action": "233db9ea-6733-4849-9226-5a7039c7161d"
}

Terminate a process

POST /api/endpoint/action/kill_process
Api key auth

Terminate a running process on an endpoint.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attributes Show parameters attributes object
    • pid integer

      The process ID (PID) of the process to terminate.

      Minimum value is 1.

    • entity_id string

      The entity ID of the process to terminate.

      Minimum length is 1.

    • process_name string

      The name of the process to terminate. Valid for SentinelOne agent type only.

      Minimum length is 1.

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/kill_process 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/kill_process' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"terminate the process","parameters":{"entity_id":"abc123"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "terminate the process",
  "parameters": {
    "entity_id": "abc123"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "kill-process",
    "comment": "terminate the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  }
}

Scan a file or directory

POST /api/endpoint/action/scan
Api key auth

Scan a specific file or directory on an endpoint for malware.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attribute Show parameters attribute object
    • path string Required

      The folder or file’s full path (including the file name).

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/scan 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/scan' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Scan the file for malware","parameters":{"path":"/usr/my-file.txt"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "Scan the file for malware",
  "parameters": {
    "path": "/usr/my-file.txt"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "27ba1b42-7cc6-4e53-86ce-675c876092b2",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "scan",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2023-07-28T19:00:03.911Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "path": "/usr/my-file.txt"
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Suspend a process

POST /api/endpoint/action/suspend_process
Api key auth

Suspend a running process on an endpoint.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attributes Show parameters attributes object
    • pid integer

      The process ID (PID) of the process to suspend.

      Minimum value is 1.

    • entity_id string

      The entity ID of the process to suspend.

      Minimum length is 1.

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/suspend_process 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/suspend_process' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"suspend the process","parameters":{"entity_id":"abc123"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "suspend the process",
  "parameters": {
    "entity_id": "abc123"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "suspend-process",
    "comment": "suspend the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  }
}

Security entity analytics

Initialize an Entity Engine

POST /api/entity_store/engines/{entityType}/init
Api key auth

Path parameters

  • entityType string Required

    The entity type of the engine (either 'user' or 'host').

    Values are user, host, or service.

application/json

Body Required

Schema for the engine initialization

  • delay string

    The delay before the transform will run.

    Format should match the following pattern: [smdh]$. Default value is 1m.

  • docsPerSecond integer

    The number of documents per second to process.

  • enrichPolicyExecutionInterval string

    Interval in which enrich policy runs. For example, "1h" means the rule runs every hour. Must be less than or equal to half the duration of the lookback period,

    Format should match the following pattern: ^[1-9]\d*[smh]$.

  • fieldHistoryLength integer

    The number of historical values to keep for each field.

    Default value is 10.

  • filter string
  • frequency string

    The frequency at which the transform will run.

    Format should match the following pattern: [smdh]$. Default value is 1m.

  • indexPattern string
  • lookbackPeriod string

    The amount of time the transform looks back to calculate the aggregations.

    Format should match the following pattern: [smdh]$. Default value is 24h.

  • timeout string

    The timeout for initializing the aggregating transform.

    Format should match the following pattern: [smdh]$. Default value is 180s.

  • timestampField string

    The field to use as the timestamp for the entity type.

    Default value is @timestamp.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 400

    Invalid request

POST /api/entity_store/engines/{entityType}/init 
curl \
 --request POST 'https://<KIBANA_URL>/api/entity_store/engines/{entityType}/init' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"delay":"1m","docsPerSecond":42,"enrichPolicyExecutionInterval":"1h","fieldHistoryLength":10,"filter":"string","frequency":"1m","indexPattern":"string","lookbackPeriod":"24h","timeout":"180s","timestampField":"@timestamp"}'
Request examples 
{
  "delay": "1m",
  "docsPerSecond": 42,
  "enrichPolicyExecutionInterval": "1h",
  "fieldHistoryLength": 10,
  "filter": "string",
  "frequency": "1m",
  "indexPattern": "string",
  "lookbackPeriod": "24h",
  "timeout": "180s",
  "timestampField": "@timestamp"
}
Response examples (200) 
{
  "delay": "1m",
  "docsPerSecond": 42,
  "error": {
    "action": "init",
    "message": "string"
  },
  "fieldHistoryLength": 42,
  "filter": "string",
  "frequency": "1m",
  "indexPattern": "string",
  "lookbackPeriod": "24h",
  "status": "installing",
  "timeout": "180s",
  "timestampField": "string",
  "type": "user"
}

Get the status of the Entity Store

GET /api/entity_store/status
Api key auth

Query parameters

  • include_components boolean

    If true returns a detailed status of the engine including all it's components

Responses

GET /api/entity_store/status 
curl \
 --request GET 'https://<KIBANA_URL>/api/entity_store/status' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "engines": [
    {
      "delay": "1m",
      "docsPerSecond": 42,
      "error": {
        "action": "init",
        "message": "string"
      },
      "fieldHistoryLength": 42,
      "filter": "string",
      "frequency": "1m",
      "indexPattern": "string",
      "lookbackPeriod": "24h",
      "status": "installing",
      "timeout": "180s",
      "timestampField": "string",
      "type": "user",
      "components": [
        {
          "errors": [
            {
              "message": "string",
              "title": "string"
            }
          ],
          "health": "green",
          "id": "string",
          "installed": true,
          "metadata": {
            "delete_time_in_ms": 42,
            "documents_deleted": 42,
            "documents_indexed": 42,
            "documents_processed": 42,
            "exponential_avg_checkpoint_duration_ms": 42,
            "exponential_avg_documents_indexed": 42,
            "exponential_avg_documents_processed": 42,
            "index_failures": 42,
            "index_time_in_ms": 42,
            "index_total": 42,
            "pages_processed": 42,
            "processing_time_in_ms": 42,
            "processing_total": 42,
            "search_failures": 42,
            "search_time_in_ms": 42,
            "search_total": 42,
            "trigger_count": 42
          },
          "resource": "entity_engine"
        }
      ]
    }
  ],
  "status": "not_installed"
}

Create rule exception items

POST /api/detection_engine/rules/{id}/exceptions
Api key auth

Create exception items that apply to a single detection rule.

Path parameters

  • id string(uuid) Required

    Detection rule's identifier

application/json

Body Required

Rule exception items.

  • items array[object] Required
    Hide items attributes Show items attributes object
    • comments array[object]

      Default value is [] (empty).

      Hide comments attribute Show comments attribute object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)
    • item_id string(nonempty)

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows. Default value is [] (empty).

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1. Default value is [] (empty).

    • type string Required

      Value is simple.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows. Default value is [] (empty).

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1. Default value is [] (empty).

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/detection_engine/rules/{id}/exceptions 
curl \
 --request POST 'https://<KIBANA_URL>/api/detection_engine/rules/330bdd28-eedf-40e1-bed0-f10176c7f9e0/exceptions' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"items":[{"name":"Sample Exception List Item","tags":["malware"],"type":"simple","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["saturn","jupiter"],"operator":"included"}],"item_id":"simple_list_item","list_id":"simple_list","os_types":["linux"],"description":"This is a sample detection type exception item.","namespace_type":"single"}]}'
Request example 
{
  "items": [
    {
      "name": "Sample Exception List Item",
      "tags": [
        "malware"
      ],
      "type": "simple",
      "entries": [
        {
          "type": "exists",
          "field": "actingProcess.file.signer",
          "operator": "excluded"
        },
        {
          "type": "match_any",
          "field": "host.name",
          "value": [
            "saturn",
            "jupiter"
          ],
          "operator": "included"
        }
      ],
      "item_id": "simple_list_item",
      "list_id": "simple_list",
      "os_types": [
        "linux"
      ],
      "description": "This is a sample detection type exception item.",
      "namespace_type": "single"
    }
  ]
}
Response examples (200) 
[
  {
    "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
    "name": "Sample Exception List Item",
    "tags": [
      "malware"
    ],
    "type": "simple",
    "entries": [
      {
        "type": "exists",
        "field": "actingProcess.file.signer",
        "operator": "excluded"
      },
      {
        "type": "match_any",
        "field": "host.name",
        "value": [
          "saturn",
          "jupiter"
        ],
        "operator": "included"
      }
    ],
    "item_id": "simple_list_item",
    "list_id": "simple_list",
    "_version": "WzQsMV0=",
    "comments": [],
    "os_types": [
      "linux"
    ],
    "created_at": "2025-01-07T20:07:33.119Z",
    "created_by": "elastic",
    "updated_at": "2025-01-07T20:07:33.119Z",
    "updated_by": "elastic",
    "description": "This is a sample detection type exception item.",
    "namespace_type": "single",
    "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
  }
]
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid request payload JSON format",
  "statusCode": 400
}
{
  "error": "Bad Request",
  "message": "[request params]: id: Invalid uuid",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "message": "Unable to create exception-list",
  "status_code": 403
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Delete an exception list

DELETE /api/exception_lists
Api key auth

Delete an exception list using the id or list_id field.

Query parameters

  • id string(nonempty)

    Exception list's identifier. Either id or list_id must be specified.

    Minimum length is 1.

  • list_id string(nonempty)

    Human readable exception list string identifier, e.g. trusted-linux-processes. Either id or list_id must be specified.

    Minimum length is 1.

  • namespace_type string

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • id string(nonempty) Required

      Exception list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the list container.

      Additional properties are allowed.

    • name string Required

      The name of the exception list.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system. Only enter one value.

      Values are linux, macos, or windows.

    • tags array[string]

      String array containing words and phrases to help categorize exception containers.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      The type of exception list to be created. Different list types may denote where they can be utilized.

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version, automatically increasd on updates.

      Minimum value is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    Exception list not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/exception_lists 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/exception_lists' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "name": "Sample Detection Exception List",
  "tags": [
    "malware"
  ],
  "type": "detection",
  "list_id": "simple_list",
  "version": 1,
  "_version": "WzIsMV0=",
  "os_types": [
    "linux"
  ],
  "immutable": false,
  "created_at": "2025-01-07T19:34:27.942Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T19:34:27.942Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception list.",
  "namespace_type": "single",
  "tie_breaker_id": "78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "exception list list_id: \"foo\" does not exist",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Export an exception list

POST /api/exception_lists/_export
Api key auth

Export an exception list and its associated items to an NDJSON file.

Query parameters

  • id string(nonempty) Required

    Exception list's identifier.

    Minimum length is 1.

  • list_id string(nonempty) Required

    Exception list's human readable string identifier, e.g. trusted-linux-processes.

    Minimum length is 1.

  • namespace_type string Required

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

  • include_expired_exceptions string Required

    Determines whether to include expired exceptions in the exported list. Expiration date defined by expire_time.

    Values are true or false. Default value is true.

Responses

POST /api/exception_lists/_export 
curl \
 --request POST 'https://<KIBANA_URL>/api/exception_lists/_export?id=9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85&list_id=simple_list&namespace_type=agnostic&include_expired_exceptions=true' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1}
{"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"}
{"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: list_id: Required, namespace_type: Required",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message\"": "exception list id: \"foo\" does not exist",
  "status_code\"": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Delete an exception list item

DELETE /api/exception_lists/items
Api key auth

Delete an exception list item using the id or item_id field.

Query parameters

  • id string(nonempty)

    Exception item's identifier. Either id or item_id must be specified

    Minimum length is 1.

  • item_id string(nonempty)

    Human readable exception item string identifier, e.g. trusted-linux-processes. Either id or item_id must be specified

    Minimum length is 1.

  • namespace_type string

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows. Default value is [] (empty).

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1. Default value is [] (empty).

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    Exception list item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/exception_lists/items 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/exception_lists/items' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "name": "Sample Exception List Item",
  "tags": [
    "malware"
  ],
  "type": "simple",
  "entries": [
    {
      "type": "exists",
      "field": "actingProcess.file.signer",
      "operator": "excluded"
    },
    {
      "type": "match_any",
      "field": "host.name",
      "value": [
        "saturn",
        "jupiter"
      ],
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzQsMV0=",
  "comments": [],
  "os_types": [
    "linux"
  ],
  "created_at": "2025-01-07T20:07:33.119Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T20:07:33.119Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception item.",
  "namespace_type": "single",
  "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "exception list item item_id: \\\"foo\\\" does not exist",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Security lists

Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

  • List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
    • boolean
    • byte
    • date
    • date_nanos
    • date_range
    • double
    • double_range
    • float
    • float_range
    • half_float
    • integer
    • integer_range
    • ip
    • ip_range
    • keyword
    • long
    • long_range
    • short
    • text
  • List items: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named internal-ip-addresses-southport contains five items, where each item defines one internal IP address:

  1. 192.168.1.1
  2. 192.168.1.3
  3. 192.168.1.18
  4. 192.168.1.12
  5. 192.168.1.7

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception list item that references the internal-ip-addresses-southport list.

Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (is in list, is not in list). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's exceptions_list object.

Lists requirements

Before you can start using lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.

Create a pack

POST /api/osquery/packs
Api key auth

Create a query pack.

application/json

Body Required

  • description string | null

    The pack description.

  • enabled boolean | null

    Enables the pack.

  • name string

    The pack name.

  • policy_ids array[string] | null

    A list of agents policy IDs.

  • queries object

    An object of queries.

    Hide queries attribute Show queries attribute object
    • * object Additional properties
      Hide * attributes Show * attributes object
      • ecs_mapping object | null

        Map osquery results columns or static values to Elastic Common Schema (ECS) fields

        Hide ecs_mapping attribute Show ecs_mapping attribute object | null
      • id string

        The ID of the query.

      • platform string | null

        Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

      • query string

        The SQL query you want to run.

      • removed boolean | null

        Indicates whether the query is removed.

      • saved_query_id string | null

        The ID of a saved query.

      • snapshot boolean | null

        Indicates whether the query is a snapshot.

      • version string | null

        Uses the Osquery versions greater than or equal to the specified version string.

  • shards object

    An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.

    Hide shards attribute Show shards attribute object
    • * number Additional properties

Responses

  • 200 application/json

    OK
POST /api/osquery/packs 
curl \
 --request POST 'https://<KIBANA_URL>/api/osquery/packs' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"my_pack","shards":{"my_policy_id":35,"fleet-server-policy":58},"enabled":true,"queries":{"my_query":{"query":"SELECT * FROM listening_ports;","timeout":120,"interval":60,"ecs_mapping":{"tags":{"value":["tag1","tag2"]},"client.port":{"field":"port"}}}},"policy_ids":["my_policy_id","fleet-server-policy"],"description":"My pack"}'
Request example 
{
  "name": "my_pack",
  "shards": {
    "my_policy_id": 35,
    "fleet-server-policy": 58
  },
  "enabled": true,
  "queries": {
    "my_query": {
      "query": "SELECT * FROM listening_ports;",
      "timeout": 120,
      "interval": 60,
      "ecs_mapping": {
        "tags": {
          "value": [
            "tag1",
            "tag2"
          ]
        },
        "client.port": {
          "field": "port"
        }
      }
    }
  },
  "policy_ids": [
    "my_policy_id",
    "fleet-server-policy"
  ],
  "description": "My pack"
}
Response examples (200) 
{
  "data": {
    "name": "my_pack",
    "shards": [
      {
        "key": "47638692-7c4c-4053-aa3e-7186f28df349",
        "value": 35
      },
      {
        "key": "5e267651-fe50-443e-8d3f-3bbc9171b618",
        "value": 58
      }
    ],
    "enabled": true,
    "queries": {
      "ports": {
        "query": "SELECT * FROM listening_ports;",
        "removed": false,
        "timeout": 120,
        "interval": 60,
        "snapshot": true,
        "ecs_mapping": {
          "client.port": {
            "field": "port"
          }
        }
      }
    },
    "created_at": "2025-02-26T13:37:30.452Z",
    "created_by": "elastic",
    "updated_at": "2025-02-26T13:37:30.452Z",
    "updated_by": "elastic",
    "description": "My pack",
    "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856"
  }
}

Get pack details

GET /api/osquery/packs/{id}
Api key auth

Get the details of a query pack using the pack ID.

Path parameters

  • id string | null Required

    The ID of the pack you want to run, retrieve, update, or delete.

Responses

  • 200 application/json

    OK
GET /api/osquery/packs/{id} 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": {
    "id": "3c42c847-eb30-4452-80e0-728584042334",
    "name": "test_pack",
    "type": "osquery-pack",
    "enabled": true,
    "queries": {
      "uptime": {
        "query": "select * from uptime",
        "interval": 3600,
        "ecs_mapping": {
          "message": {
            "field": "days"
          }
        }
      }
    },
    "read_only": false,
    "created_at": "2022-07-25T19:41:10.263Z",
    "created_by": "elastic",
    "namespaces": [
      "default"
    ],
    "policy_ids": [],
    "updated_at": "2022-07-25T20:12:01.455Z",
    "updated_by": "elastic",
    "description": ""
  }
}

Security timeline

You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.

Update an SLO

PUT /s/{spaceId}/api/observability/slos/{sloId}
Api key auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • spaceId string Required

    An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.

  • sloId string Required

    An identifier for the slo.

application/json

Body Required

  • budgetingMethod string

    The budgeting method to use when computing the rollup data.

    Values are occurrences or timeslices.

  • description string

    A description for the SLO.

  • groupBy string | array[string]

    optional group by field or fields to use to generate an SLO per distinct value

    One of:
    string-1 string array-2 array[string]

  • indicator object

    One of:
    SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object

    Defines properties for a custom query indicator type

    Hide attributes Show attributes
  • name string

    A name for the SLO.

  • objective object

    Defines properties for the SLO objective

    Hide objective attributes Show objective attributes object
    • target number Required

      the target objective between 0 and 1 excluded

      Minimum value is 0, maximum value is 100.

    • timesliceTarget number

      the target objective for each slice when using a timeslices budgeting method

      Minimum value is 0, maximum value is 100.

    • timesliceWindow string

      the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}

  • settings object

    Defines properties for SLO settings.

    Hide settings attributes Show settings attributes object
    • frequency string

      The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.

      Default value is 1m.

    • preventInitialBackfill boolean

      Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.

      Default value is false.

    • syncDelay string

      The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.

      Default value is 1m.

    • syncField string

      The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.

  • tags array[string]

    List of tags

  • timeWindow object

    Defines properties for the SLO time window

    Hide timeWindow attributes Show timeWindow attributes object
    • duration string Required

      the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)

    • type string Required

      Indicates weither the time window is a rolling or a calendar aligned time window.

      Values are rolling or calendarAligned.

Responses

  • 200 application/json

    Successful request

    Hide response attributes Show response attributes object
    • budgetingMethod string Required

      The budgeting method to use when computing the rollup data.

      Values are occurrences or timeslices.

    • createdAt string Required

      The creation date

    • description string Required

      The description of the SLO.

    • enabled boolean Required

      Indicate if the SLO is enabled

    • groupBy string | array[string] Required

      optional group by field or fields to use to generate an SLO per distinct value

      One of:
      string-1 string array-2 array[string]
    • id string Required

      The identifier of the SLO.

    • indicator object Required

      One of:
      SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object

      Defines properties for a custom query indicator type

      Hide attributes Show attributes
    • name string Required

      The name of the SLO.

    • objective object Required

      Defines properties for the SLO objective

      Hide objective attributes Show objective attributes object
      • target number Required

        the target objective between 0 and 1 excluded

        Minimum value is 0, maximum value is 100.

      • timesliceTarget number

        the target objective for each slice when using a timeslices budgeting method

        Minimum value is 0, maximum value is 100.

      • timesliceWindow string

        the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}

    • revision number Required

      The SLO revision

    • settings object Required

      Defines properties for SLO settings.

      Hide settings attributes Show settings attributes object
      • frequency string

        The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.

        Default value is 1m.

      • preventInitialBackfill boolean

        Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.

        Default value is false.

      • syncDelay string

        The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.

        Default value is 1m.

      • syncField string

        The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.

    • tags array[string] Required

      List of tags

    • timeWindow object Required

      Defines properties for the SLO time window

      Hide timeWindow attributes Show timeWindow attributes object
      • duration string Required

        the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)

      • type string Required

        Indicates weither the time window is a rolling or a calendar aligned time window.

        Values are rolling or calendarAligned.

    • updatedAt string Required

      The last update date

    • version number Required

      The internal SLO version
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
PUT /s/{spaceId}/api/observability/slos/{sloId} 
curl \
 --request PUT 'https://<KIBANA_URL>/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"budgetingMethod":"occurrences","description":"string","groupBy":[["service.name"],"service.name",["service.name","service.environment"]],"indicator":{"params":{"dataViewId":"03b80ab3-003d-498b-881c-3beedbaf1162","filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.latency \u003c= 150 and request.status_code : \"2xx\"","index":"my-service-*","timestampField":"timestamp","total":"field.environment : \"production\" and service.name : \"my-service\""},"type":"sli.kql.custom"},"name":"string","objective":{"target":0.99,"timesliceTarget":0.995,"timesliceWindow":"5m"},"settings":{"frequency":"5m","preventInitialBackfill":true,"syncDelay":"5m","syncField":"event.ingested"},"tags":["string"],"timeWindow":{"duration":"30d","type":"rolling"}}'
Request examples 
# Headers
kbn-xsrf: string

# Payload
{
  "budgetingMethod": "occurrences",
  "description": "string",
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "name": "string",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m",
    "syncField": "event.ingested"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  }
}
Response examples (200) 
{
  "budgetingMethod": "occurrences",
  "createdAt": "2023-01-12T10:03:19.000Z",
  "description": "My SLO description",
  "enabled": true,
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "id": "8853df00-ae2e-11ed-90af-09bb6422b258",
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "name": "My Service SLO",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "revision": 2,
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m",
    "syncField": "event.ingested"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  },
  "updatedAt": "2023-01-12T10:03:19.000Z",
  "version": 2
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}

Get stream list Technical Preview

GET /api/streams
Api key auth

Fetches list of all streams

application/json

Body

object object

Additional properties are NOT allowed.
GET /api/streams 
curl \
 --request GET 'https://<KIBANA_URL>/api/streams' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"
Request examples 
{}

Upsert group stream settings Technical Preview

PUT /api/streams/{name}/_group
Api key auth

Upserts the group settings of a group stream definition

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • group object Required

    Additional properties are NOT allowed.

    Hide group attributes Show group attributes object
PUT /api/streams/{name}/_group 
curl \
 --request PUT 'https://<KIBANA_URL>/api/streams/{name}/_group' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"group":{"description":"string","members":["string"]}}'
Request examples 
# Headers
kbn-xsrf: true

# Payload
{
  "group": {
    "description": "string",
    "members": [
      "string"
    ]
  }
}

Import content into a stream

POST /api/streams/{name}/content/import
Api key auth

Links content objects to a stream.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

multipart/form-data

Body

object object

Additional properties are NOT allowed.
POST /api/streams/{name}/content/import 
curl \
 --request POST 'https://<KIBANA_URL>/api/streams/{name}/content/import' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --header "kbn-xsrf: true"