Run connector API
editRun connector API
editRuns a connector by ID.
For the most up-to-date API details, refer to the open API specification.
Request
editPOST <kibana host>:<port>/api/actions/connector/<id>/_execute
POST <kibana host>:<port>/s/<space_id>/api/actions/connector/<id>/_execute
Prerequisites
editYou must have read
privileges for the Actions and Connectors feature in the
Management section of the
Kibana feature privileges.
If you use an index connector, you must also have all
, create
, index
, or
write
indices privileges.
Description
editYou can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.
Path parameters
edit-
id
- (Required, string) The ID of the connector.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Request body
edit-
params
-
(Required, object) The parameters of the connector. Parameter properties vary depending on the connector type. For information about the parameter properties, refer to Connectors.
Params
propertiesEmail connectors
-
bcc
-
(Optional, array of strings) A list of "blind carbon copy" email addresses.
Addresses can be specified in
user@host-name
format or in name<user@host-name>
format. -
cc
-
(Optional, array of strings) A list of "carbon copy" email addresses.
Addresses can be specified in
user@host-name
format or in name<user@host-name>
format. -
message
- (Required, string) The email message text. Markdown format is supported.
-
subject
- (Required, string) The subject line of the email.
-
to
-
(Required*, array of strings)
A list of email addresses.
Addresses can be specified in
user@host-name
format or in name<user@host-name>
format. There must be at least one recipient into
,cc
, orbcc
.
For more information, refer to Email.
Index connectors
-
documents
- (Required, array of objects) The documents to index in JSON format.
For more information, refer to Index.
Jira connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
fieldsByIssueType
,getFields
,getIncident
,issue
,issues
,issueTypes
, andpushToService
. -
subActionParams
-
(Required*, object) The set of configuration properties, which vary depending on the
subAction
value. This object is not required whensubAction
isgetFields
orissueTypes
.Properties when
subAction
isfieldsByIssueType
-
id
-
(Required, string) The Jira issue type identifier. For example,
10024
.
Properties when
subAction
isgetIncident
-
externalId
-
(Required, string) The Jira issue identifier. For example,
71778
.
Properties when
subAction
isissue
-
id
-
(Required, string) The Jira issue identifier. For example,
71778
.
Properties when
subAction
isissues
-
title
- (Required, string) The title of the Jira issue.
Properties when
subAction
ispushToService
-
comments
-
(Optional, array of objects) Additional information that is sent to Jira.
Properties of
comments
-
comment
- (string) A comment related to the incident. For example, describe how to troubleshoot the issue.
-
commentId
- (integer) A unique identifier for the comment.
-
-
incident
-
(Required, object) Information necessary to create or update a Jira incident.
Properties of
incident
-
description
- (Optional, string) The details about the incident.
-
externalId
- (Optional, string) The Jira issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
-
labels
-
(Optional, array of strings) The labels for the incident. For example,
["LABEL1"]
. NOTE: Labels cannot contain spaces. -
issueType
-
(Optional, integer) The type of incident. For example,
10006
. To obtain the list of valid values, setsubAction
toissueTypes
. -
parent
-
(Optional, string) The ID or key of the parent issue. Applies only to
Sub-task
types of issues. -
priority
-
(Optional, string) The incident priority level. For example,
Lowest
. -
summary
- (Required, string) A summary of the incident.
-
title
- (Optional, string) A title for the incident, used for searching the contents of the knowledge base.
-
-
For more information, refer to Jira.
Opsgenie connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
createAlert
andcloseAlert
. -
subActionParams
-
(Required, object) The set of configuration properties, which vary depending on the
subAction
value.Properties when
subAction
iscreateAlert
-
actions
- (Optional, array of strings) The custom actions available to the alert.
-
alias
- (Optional, string) The unique identifier used for alert deduplication in Opsgenie.
-
description
- (Optional, string) A description that provides detailed information about the alert.
-
details
-
(Optional, object) The custom properties of the alert. For example:
{"key1":"value1","key2":"value2"}
. -
entity
- (Optional, string) The domain of the alert. For example, the application or server name.
-
message
- (Required, string) The alert message.
-
note
- (Optional, string) Additional information for the alert.
-
priority
-
(Optional, string) The priority level for the alert. Valid values are:
P1
,P2
,P3
,P4
, andP5
. -
responders
-
(Optional, array of objects) The entities to receive notifications about the alert. If
type
isuser
, eitherid
orusername
is required. Iftype
isteam
, eitherid
orname
is required.Properties of
responders
objects-
id
- (Required*, string) The identifier for the entity.
-
name
- (Required*, string) The name of the entity.
-
type
-
(Required, string) Valid values are
escalation
,schedule
,team
, anduser
. -
username
- (Required*, string) A valid email address for the user.
-
-
source
- (Optional, string) The display name for the source of the alert.
-
tags
- (Optional, array of strings) The tags for the alert.
-
user
- (Optional, string) The display name for the owner.
-
visibleTo
-
(Optional, array of objects) The teams and users that the alert will be visible to without sending a notification. Only one of
id
,name
, orusername
is required.Properties of
visibleTo
objects-
id
- (Required*, string) The identifier for the entity.
-
name
- (Required*, string) The name of the entity.
-
type
-
(Required, string) Valid values are
team
anduser
. -
username
-
(Required*, string) The user name. This property is required only when the
type
isuser
.
-
Properties when
subAction
iscloseAlert
-
alias
- (Required, string) The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert.
-
note
- (Optional, string) Additional information for the alert.
-
source
- (Optional, string) The display name for the source of the alert.
-
user
- (Optional, string) The display name for the owner.
-
For more information, refer to Opsgenie.
ServiceNow ITOM connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
addEvent
andgetChoices
. -
subActionParams
-
(Required*, object) The set of configuration properties, which vary depending on the
subAction
value.Properties when
subAction
isaddEvent
-
additional_info
- (Optional, string) Additional information about the event.
-
description
- (Optional, string) The details about the event.
-
event_class
- (Optional, string) A specific instance of the source.
-
message_key
-
(Optional, string) All actions sharing this key are associated with the same
ServiceNow alert. The default value is
<rule ID>:<alert instance ID>
. -
metric_name
- (Optional, string) The name of the metric.
-
node
- (Optional, string) The host that the event was triggered for.
-
resource
- (Optional, string) The name of the resource.
-
severity
- (Optional, string) The severity of the event.
-
source
- (Optional, string) The name of the event source type.
-
time_of_event
- (Optional, string) The time of the event.
-
type
- (Optional, string) The type of event.
Properties when
subAction
isgetChoices
-
fields
-
(Required, array of strings) An array of fields. For example,
["severity"]
.
-
ServiceNow ITSM connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
getFields
,getIncident
,getChoices
, andpushToService
. -
subActionParams
-
(Required*, object) The set of configuration properties, which vary depending on the
subAction
value. This object is not required whensubAction
isgetFields
.Properties when
subAction
isgetChoices
-
fields
-
(Required, array of strings) An array of fields. For example,
["category","impact"]
.
Properties when
subAction
isgetIncident
-
externalId
- (Required, string) The ServiceNow ITSM issue identifier.
Properties when
subAction
ispushToService
-
comments
-
(Optional, array of objects) Additional information that is sent to ServiceNow ITSM.
Properties of
comments
-
comment
- (string) A comment related to the incident. For example, describe how to troubleshoot the issue.
-
commentId
- (integer) A unique identifier for the comment.
-
-
incident
-
(Required, object) Information necessary to create or update a ServiceNow ITSM incident.
Properties of
incident
-
category
- (Optional, string) The category of the incident.
-
correlation_display
- (Optional, string) A descriptive label of the alert for correlation purposes in ServiceNow.
-
correlation_id
-
(Optional, string) The correlation identifier for the security incident. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as
{{ruleID}}:{{alert ID}}
to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.Using the default configuration of
{{ruleID}}:{{alert ID}}
ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. -
description
- (Optional, string) The details about the incident.
-
externalId
- (Optional, string) The ServiceNow ITSM issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
-
impact
- (Optional, string) The impact in ServiceNow ITSM.
-
severity
- (Optional, string) The severity of the incident.
-
short_description
- (Required, string) A short description for the incident, used for searching the contents of the knowledge base.
-
subcategory
- (Optional, string) The subcategory in ServiceNow ITSM.
-
urgency
- (Optional, string) The urgency in ServiceNow ITSM.
-
-
ServiceNow SecOps connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
getFields
,getIncident
,getChoices
, andpushToService
. -
subActionParams
-
(Required*, object) The set of configuration properties, which vary depending on the
subAction
value. This object is not required whensubAction
isgetFields
.Properties when
subAction
isgetChoices
-
fields
-
(Required, array of strings) An array of fields. For example,
["priority","category"]
.
Properties when
subAction
isgetIncident
-
externalId
- (Required, string) The ServiceNow SecOps issue identifier.
Properties when
subAction
ispushToService
-
comments
-
(Optional, array of objects) Additional information that is sent to ServiceNow SecOps.
Properties of
comments
-
comment
- (string) A comment related to the incident. For example, describe how to troubleshoot the issue.
-
commentId
- (integer) A unique identifier for the comment.
-
-
incident
-
(Required, object) Information necessary to create or update a ServiceNow SecOps incident.
Properties of
incident
-
category
- (Optional, string) The category of the incident.
-
correlation_display
- (Optional, string) A descriptive label of the alert for correlation purposes in ServiceNow.
-
correlation_id
-
(Optional, string) The correlation identifier for the security incident. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as
{{ruleID}}:{{alert ID}}
to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.Using the default configuration of
{{ruleID}}:{{alert ID}}
ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. -
description
- (Optional, string) The details about the incident.
-
dest_ip
- (Optional, string or array of strings) A list of destination IP addresses related to the security incident. The IPs are added as observables to the security incident.
-
externalId
- (Optional, string) The ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
-
malware_hash
- (Optional, string or array of strings) A list of malware hashes related to the security incident. The hashes are added as observables to the security incident.
-
malware_url
- (Optional, string or array of strings) A list of malware URLs related to the security incident. The URLs are added as observables to the security incident.
-
priority
- (Optional, string) The priority of the incident.
-
short_description
- (Required, string) A short description for the incident, used for searching the contents of the knowledge base.
-
source_ip
- (Optional, string or array of strings) A list of source IP addresses related to the security incident. The IPs are added as observables to the security incident.
-
subcategory
- (Optional, string) The subcategory of the incident.
-
-
Server log connectors
-
level
-
(Optional, string) The log level of the message:
trace
,debug
,info
,warn
,error
, orfatal
. Defaults toinfo
. -
message
- (Required, string) The message to log.
Slack connectors
-
message
-
(Required*, string) The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
It is applicable only when the connector type is
.slack
. -
subAction
-
(Required*, string) The action to test.
It is applicable only when the connector type is
.slack_api
. Valid values include:postMessage
,validChannelId
.
-
subActionParams
-
(Required, object) The set of configuration properties, which vary depending on the
subAction
value.Properties when
subAction
ispostMessage
-
channelIds
- (Optional, array of strings) The Slack channel identifier, which must be one of the allowed channels in the connector configuration.
-
channels
- (Optional, array of strings) The name of a channel that your Slack app has access to. [8.12.0] Deprecated in 8.12.0.
-
text
- (Optional, string) The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
Properties when
subAction
isvalidChannelId
-
channelId
-
(Required, string) The Slack channel identifier. For example,
C123ABC456
.
-
Swimlane connectors
-
subAction
-
(Required, string) The action to test. It must be
pushToService
. -
subActionParams
-
(Required, object) The set of configuration properties.
Properties of
subActionParams
-
comments
-
(Optional, array of objects) Additional information that is sent to Swimlane.
Properties of
comments
objects- comment
- (string) A comment related to the incident. For example, describe how to troubleshoot the issue.
- commentId
- (integer) A unique identifier for the comment.
-
incident
-
(Required, object) Information necessary to create or update a Swimlane incident.
Properties of
incident
-
alertId
- (Optional, string) The alert identifier.
-
caseId
- (Optional, string) The case identifier for the incident.
-
caseName
- (Optional, string) The case name for the incident.
-
description
- (Optional, string) The description of the incident.
-
ruleName
- (Optional, string) The rule name.
-
severity
- (Optional, string) The severity of the incident.
-
-
-
Response codes
edit-
200
- Indicates a successful call.
Examples
editRun an index connector:
POST api/actions/connector/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad/_execute { "params": { "documents": [ { "id": "test_doc_id", "name": "test_doc_name", "message": "hello, world" } ] } }
The API returns the following:
{ "status": "ok", "data": { "took": 10, "errors": false, "items": [ { "index": { "_index": "test-index", "_id": "iKyijHcBKCsmXNFrQe3T", "_version": 1, "result": "created", "_shards": { "total": 2, "successful": 1, "failed": 0 }, "_seq_no": 0, "_primary_term": 1, "status": 201 } } ] }, "connector_id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad" }
Run a server log connector:
POST api/actions/connector/7fc7b9a0-ecc9-11ec-8736-e7d63118c907/_execute { "params": { "level": "warn", "message": "Test warning message" } }
The API returns the following:
{"status":"ok","connector_id":"7fc7b9a0-ecc9-11ec-8736-e7d63118c907"}
Retrieve the list of issue types for a Jira connector:
POST api/actions/connector/b3aad810-edbe-11ec-82d1-11348ecbf4a6/_execute { "params": { "subAction": "issueTypes" } }
The API returns the following:
{ "status":"ok", "data":[ {"id":"10024","name":"Improvement"},{"id":"10006","name":"Task"}, {"id":"10007","name":"Sub-task"},{"id":"10025","name":"New Feature"}, {"id":"10023","name":"Bug"},{"id":"10000","name":"Epic"} ], "connector_id":"b3aad810-edbe-11ec-82d1-11348ecbf4a6" }
Create then update a Swimlane incident:
POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute { "params":{ "subAction":"pushToService", "subActionParams":{ "incident":{ "description":"Description of the incident", "caseName":"Case name", "caseId":"1000" }, "comments":[ {"commentId":"1","comment":"A comment about the incident"} ] } } } POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute { "params":{ "subAction":"pushToService", "subActionParams":{ "incident":{ "caseId":"1000", "caseName":"A new case name" } } } }
Retrieve the list of choices for a ServiceNow ITOM connector:
POST api/actions/connector/9d9be270-2fd2-11ed-b0e0-87533c532698/_execute { "params": { "subAction": "getChoices", "subActionParams": { "fields": [ "severity","urgency" ] } } }
The API returns the severity and urgency choices, for example:
{ "status": "ok", "data":[ {"dependent_value":"","label":"Critical","value":"1","element":"severity"}, {"dependent_value":"","label":"Major","value":"2","element":"severity"}, {"dependent_value":"","label":"Minor","value":"3","element":"severity"}, {"dependent_value":"","label":"Warning","value":"4","element":"severity"}, {"dependent_value":"","label":"OK","value":"5","element":"severity"}, {"dependent_value":"","label":"Clear","value":"0","element":"severity"}, {"dependent_value":"","label":"1 - High","value":"1","element":"urgency"}, {"dependent_value":"","label":"2 - Medium","value":"2","element":"urgency"}, {"dependent_value":"","label":"3 - Low","value":"3","element":"urgency"}], "connector_id":"9d9be270-2fd2-11ed-b0e0-87533c532698" }