Elastic Security APIs
editElastic Security APIs
editYou can use these APIs to interface with Elastic Security features:
- Detections API: Manage detection rules and alerts
- Exceptions API: Create and manage rule exceptions
- Lists API: Create source event value lists for use with rule exceptions
- Timeline API: Import and export timelines
- Cases API: Open and manage cases
Additionally, the Kibana Actions API is partially documented to enable opening and updating cases in external ticketing systems. For more information on Kibana Actions, see Alerting and Actions and https://github.com/elastic/kibana/tree/master/x-pack/plugins/actions.
API URLs
editFor calls to the Default
Kibana space, API endpoints are as follows:
<kibana host>:<port>/api/<endpoint>
Where:
-
<kibana host>
is the host name of your Kibana instance. -
<port>
is port number of your Kibana instance. -
<endpoint>
is the API endpoint, such asdetection_engine/rules
orcases/configure
.
If you are making calls to a Kibana space other than the Default
space, the
space identifier is part of the endpoint’s URL:
<kibana host>:<port>/s/<space URL>/api/<endpoint>
Where <space URL>
is the URL identifier for the Kibana space.
You can find space URL identifiers on
Edit space pages (Management → Spaces →
<space name>) or by calling
GET /api/spaces/space
.
Authentication
editToken-based authentication, using the same username and password used to log in to the Kibana UI, is required to access the APIs.
API calls
editAll calls to APIs are stateless. Each call must include all the information Elastic Security needs to perform the request.
Requests must contain these headers:
-
kbn-xsrf: <value>
, where<value>
can be any alphanumeric string (for example,kbn-xsrf: kibana
) -
Content-Type: application/json
(when the request contains a JSON payload)
For example, the following call uses the Detections API to retrieve the first
20 detection rules from the Kibana siem
space:
curl -X GET "<kibana host>:<port>/s/siem/api/detection_engine/rules/_find" -H 'kbn-xsrf: kibana' -u <username>:<password>
In dev mode, the Kibana server runs behind a proxy which adds a random path component to its URL. Considerations for basePath describes how to work with and disable the random path component.