Run connector API

edit

Runs a connector by ID.

For the most up-to-date API details, refer to the open API specification.

Request

edit

POST <kibana host>:<port>/api/actions/connector/<id>/_execute

POST <kibana host>:<port>/s/<space_id>/api/actions/connector/<id>/_execute

Prerequisites

edit

You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

If you use an index connector, you must also have all, create, index, or write indices privileges.

Description

edit

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.

Path parameters

edit
id
(Required, string) The ID of the connector.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Request body

edit
params

(Required, object) The parameters of the connector. Parameter properties vary depending on the connector type. For information about the parameter properties, refer to Connectors.

Params properties
Email connectors
bcc
(Optional, array of strings) A list of "blind carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format.
cc
(Optional, array of strings) A list of "carbon copy" email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format.
message
(Required, string) The email message text. Markdown format is supported.
subject
(Required, string) The subject line of the email.
to
(Required*, array of strings) A list of email addresses. Addresses can be specified in user@host-name format or in name <user@host-name> format. There must be at least one recipient in to, cc, or bcc.

For more information, refer to Email.

Index connectors
documents
(Required, array of objects) The documents to index in JSON format.

For more information, refer to Index.

Jira connectors
subAction
(Required, string) The action to test. Valid values include: fieldsByIssueType, getFields, getIncident, issue, issues, issueTypes, and pushToService.
subActionParams

(Required*, object) The set of configuration properties, which vary depending on the subAction value. This object is not required when subAction is getFields or issueTypes.

Properties when subAction is fieldsByIssueType
id
(Required, string) The Jira issue type identifier. For example, 10024.
Properties when subAction is getIncident
externalId
(Required, string) The Jira issue identifier. For example, 71778.
Properties when subAction is issue
id
(Required, string) The Jira issue identifier. For example, 71778.
Properties when subAction is issues
title
(Required, string) The title of the Jira issue.
Properties when subAction is pushToService
comments

(Optional, array of objects) Additional information that is sent to Jira.

Properties of comments
comment
(string) A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId
(integer) A unique identifier for the comment.
incident

(Required, object) Information necessary to create or update a Jira incident.

Properties of incident
description
(Optional, string) The details about the incident.
externalId
(Optional, string) The Jira issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
labels
(Optional, array of strings) The labels for the incident. For example, ["LABEL1"]. NOTE: Labels cannot contain spaces.
issueType
(Optional, integer) The type of incident. For example, 10006. To obtain the list of valid values, set subAction to issueTypes.
parent
(Optional, string) The ID or key of the parent issue. Applies only to Sub-task types of issues.
priority
(Optional, string) The incident priority level. For example, Lowest.
summary
(Required, string) A summary of the incident.
title
(Optional, string) A title for the incident, used for searching the contents of the knowledge base.

For more information, refer to Jira.

Opsgenie connectors
subAction
(Required, string) The action to test. Valid values include: createAlert and closeAlert.
subActionParams

(Required, object) The set of configuration properties, which vary depending on the subAction value.

Properties when subAction is createAlert
actions
(Optional, array of strings) The custom actions available to the alert.
alias
(Optional, string) The unique identifier used for alert deduplication in Opsgenie.
description
(Optional, string) A description that provides detailed information about the alert.
details
(Optional, object) The custom properties of the alert. For example: {"key1":"value1","key2":"value2"}.
entity
(Optional, string) The domain of the alert. For example, the application or server name.
message
(Required, string) The alert message.
note
(Optional, string) Additional information for the alert.
priority
(Optional, string) The priority level for the alert. Valid values are: P1, P2, P3, P4, and P5.
responders

(Optional, array of objects) The entities to receive notifications about the alert. If type is user, either id or username is required. If type is team, either id or name is required.

Properties of responders objects
id
(Required*, string) The identifier for the entity.
name
(Required*, string) The name of the entity.
type
(Required, string) Valid values are escalation, schedule, team, and user.
username
(Required*, string) A valid email address for the user.
source
(Optional, string) The display name for the source of the alert.
tags
(Optional, array of strings) The tags for the alert.
user
(Optional, string) The display name for the owner.
visibleTo

(Optional, array of objects) The teams and users that the alert will be visible to without sending a notification. Only one of id, name, or username is required.

Properties of visibleTo objects
id
(Required*, string) The identifier for the entity.
name
(Required*, string) The name of the entity.
type
(Required, string) Valid values are team and user.
username
(Required*, string) The user name. This property is required only when the type is user.
Properties when subAction is closeAlert
alias
(Required, string) The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert.
note
(Optional, string) Additional information for the alert.
source
(Optional, string) The display name for the source of the alert.
user
(Optional, string) The display name for the owner.

For more information, refer to Opsgenie.

ServiceNow ITOM connectors
subAction
(Required, string) The action to test. Valid values include: addEvent and getChoices.
subActionParams

(Required*, object) The set of configuration properties, which vary depending on the subAction value.

Properties when subAction is addEvent
additional_info
(Optional, string) Additional information about the event.
description
(Optional, string) The details about the event.
event_class
(Optional, string) A specific instance of the source.
message_key
(Optional, string) All actions sharing this key are associated with the same ServiceNow alert. The default value is <rule ID>:<alert instance ID>.
metric_name
(Optional, string) The name of the metric.
node
(Optional, string) The host that the event was triggered for.
resource
(Optional, string) The name of the resource.
severity
(Optional, string) The severity of the event.
source
(Optional, string) The name of the event source type.
time_of_event
(Optional, string) The time of the event.
type
(Optional, string) The type of event.
Properties when subAction is getChoices
fields
(Required, array of strings) An array of fields. For example, ["severity"].
ServiceNow ITSM connectors
subAction
(Required, string) The action to test. Valid values include: getFields, getIncident, getChoices, and pushToService.
subActionParams

(Required*, object) The set of configuration properties, which vary depending on the subAction value. This object is not required when subAction is getFields.

Properties when subAction is getChoices
fields
(Required, array of strings) An array of fields. For example, ["category","impact"].
Properties when subAction is getIncident
externalId
(Required, string) The ServiceNow ITSM issue identifier.
Properties when subAction is pushToService
comments

(Optional, array of objects) Additional information that is sent to ServiceNow ITSM.

Properties of comments
comment
(string) A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId
(integer) A unique identifier for the comment.
incident

(Required, object) Information necessary to create or update a ServiceNow ITSM incident.

Properties of incident
category
(Optional, string) The category of the incident.
correlation_display
(Optional, string) A descriptive label of the alert for correlation purposes in ServiceNow.
correlation_id

(Optional, string) The correlation identifier for the security incident. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as {{ruleID}}:{{alert ID}} to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.

Using the default configuration of {{ruleID}}:{{alert ID}} ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.

description
(Optional, string) The details about the incident.
externalId
(Optional, string) The ServiceNow ITSM issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
impact
(Optional, string) The impact in ServiceNow ITSM.
severity
(Optional, string) The severity of the incident.
short_description
(Required, string) A short description for the incident, used for searching the contents of the knowledge base.
subcategory
(Optional, string) The subcategory in ServiceNow ITSM.
urgency
(Optional, string) The urgency in ServiceNow ITSM.
ServiceNow SecOps connectors
subAction
(Required, string) The action to test. Valid values include: getFields, getIncident, getChoices, and pushToService.
subActionParams

(Required*, object) The set of configuration properties, which vary depending on the subAction value. This object is not required when subAction is getFields.

Properties when subAction is getChoices
fields
(Required, array of strings) An array of fields. For example, ["priority","category"].
Properties when subAction is getIncident
externalId
(Required, string) The ServiceNow SecOps issue identifier.
Properties when subAction is pushToService
comments

(Optional, array of objects) Additional information that is sent to ServiceNow SecOps.

Properties of comments
comment
(string) A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId
(integer) A unique identifier for the comment.
incident

(Required, object) Information necessary to create or update a ServiceNow SecOps incident.

Properties of incident
category
(Optional, string) The category of the incident.
correlation_display
(Optional, string) A descriptive label of the alert for correlation purposes in ServiceNow.
correlation_id

(Optional, string) The correlation identifier for the security incident. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as {{ruleID}}:{{alert ID}} to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.

Using the default configuration of {{ruleID}}:{{alert ID}} ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.

description
(Optional, string) The details about the incident.
dest_ip
(Optional, string or array of strings) A list of destination IP addresses related to the security incident. The IPs are added as observables to the security incident.
externalId
(Optional, string) The ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
malware_hash
(Optional, string or array of strings) A list of malware hashes related to the security incident. The hashes are added as observables to the security incident.
malware_url
(Optional, string or array of strings) A list of malware URLs related to the security incident. The URLs are added as observables to the security incident.
priority
(Optional, string) The priority of the incident.
short_description
(Required, string) A short description for the incident, used for searching the contents of the knowledge base.
source_ip
(Optional, string or array of strings) A list of source IP addresses related to the security incident. The IPs are added as observables to the security incident.
subcategory
(Optional, string) The subcategory of the incident.
Server log connectors
level
(Optional, string) The log level of the message: trace, debug, info, warn, error, or fatal. Defaults to info.
message
(Required, string) The message to log.
Slack connectors
message
(Required*, string) The Slack message text, which cannot contain Markdown, images, or other advanced formatting. It is applicable only when the connector type is .slack.
subAction
(Required*, string) The action to test. It is applicable only when the connector type is .slack_api. Valid values include: postMessage, validChannelId.
subActionParams

(Required, object) The set of configuration properties, which vary depending on the subAction value.

Properties when subAction is postMessage
channelIds
(Optional, array of strings) The Slack channel identifier, which must be one of the allowed channels in the connector configuration.
channels
(Optional, array of strings) The name of a channel that your Slack app has access to. [8.12.0] Deprecated in 8.12.0.
text
(Optional, string) The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
Properties when subAction is validChannelId
channelId
(Required, string) The Slack channel identifier. For example, C123ABC456.
Swimlane connectors
subAction
(Required, string) The action to test. It must be pushToService.
subActionParams

(Required, object) The set of configuration properties.

Properties of subActionParams
comments

(Optional, array of objects) Additional information that is sent to Swimlane.

Properties of comments objects
comment
(string) A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId
(integer) A unique identifier for the comment.
incident

(Required, object) Information necessary to create or update a Swimlane incident.

Properties of incident
alertId
(Optional, string) The alert identifier.
caseId
(Optional, string) The case identifier for the incident.
caseName
(Optional, string) The case name for the incident.
description
(Optional, string) The description of the incident.
ruleName
(Optional, string) The rule name.
severity
(Optional, string) The severity of the incident.

Response codes

edit
200
Indicates a successful call.

Examples

edit

Run an index connector:

POST api/actions/connector/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad/_execute
{
  "params": {
    "documents": [
      {
        "id": "test_doc_id",
        "name": "test_doc_name",
        "message": "hello, world"
      }
    ]
  }
}

The API returns the following:

{
  "status": "ok",
  "data": {
    "took": 10,
    "errors": false,
    "items": [
      {
        "index": {
          "_index": "test-index",
          "_id": "iKyijHcBKCsmXNFrQe3T",
          "_version": 1,
          "result": "created",
          "_shards": {
            "total": 2,
            "successful": 1,
            "failed": 0
          },
          "_seq_no": 0,
          "_primary_term": 1,
          "status": 201
        }
      }
    ]
  },
  "connector_id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad"
}

Run a server log connector:

POST api/actions/connector/7fc7b9a0-ecc9-11ec-8736-e7d63118c907/_execute
{
  "params": {
    "level": "warn",
    "message": "Test warning message"
  }
}

The API returns the following:

{"status":"ok","connector_id":"7fc7b9a0-ecc9-11ec-8736-e7d63118c907"}

Retrieve the list of issue types for a Jira connector:

POST api/actions/connector/b3aad810-edbe-11ec-82d1-11348ecbf4a6/_execute
{
  "params": {
    "subAction": "issueTypes"
  }
}

The API returns the following:

{
  "status":"ok",
  "data":[
    {"id":"10024","name":"Improvement"},{"id":"10006","name":"Task"},
    {"id":"10007","name":"Sub-task"},{"id":"10025","name":"New Feature"},
    {"id":"10023","name":"Bug"},{"id":"10000","name":"Epic"}
  ],
  "connector_id":"b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}

Create then update a Swimlane incident:

POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute
{
  "params":{
    "subAction":"pushToService",
    "subActionParams":{
      "incident":{
        "description":"Description of the incident",
        "caseName":"Case name",
        "caseId":"1000"
      },
      "comments":[
        {"commentId":"1","comment":"A comment about the incident"}
      ]
    }
  }
}

POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute
{
  "params":{
    "subAction":"pushToService",
    "subActionParams":{
      "incident":{
        "caseId":"1000",
        "caseName":"A new case name"
      }
    }
  }
}

Retrieve the list of choices for a ServiceNow ITOM connector:

POST api/actions/connector/9d9be270-2fd2-11ed-b0e0-87533c532698/_execute
{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [ "severity","urgency" ]
    }
  }
}

The API returns the severity and urgency choices, for example:

{
  "status": "ok",
  "data":[
    {"dependent_value":"","label":"Critical","value":"1","element":"severity"},
    {"dependent_value":"","label":"Major","value":"2","element":"severity"},
    {"dependent_value":"","label":"Minor","value":"3","element":"severity"},
    {"dependent_value":"","label":"Warning","value":"4","element":"severity"},
    {"dependent_value":"","label":"OK","value":"5","element":"severity"},
    {"dependent_value":"","label":"Clear","value":"0","element":"severity"},
    {"dependent_value":"","label":"1 - High","value":"1","element":"urgency"},
    {"dependent_value":"","label":"2 - Medium","value":"2","element":"urgency"},
    {"dependent_value":"","label":"3 - Low","value":"3","element":"urgency"}],
  "connector_id":"9d9be270-2fd2-11ed-b0e0-87533c532698"
}