Path parameters

• id string(nonempty) Required

  The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings.

  Minimum length is 1.

Responses

• 200 application/json

  Successfully retrieved Attack Discovery schedule with complete configuration and metadata

  Hide response attributes Show response attributes object

  • actions array[object] Required

    The attack discovery schedule actions

    One of:

    Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction object Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction object

    Hide attributes Show attributes

    • action_type_id string Required

      The action type used for sending notifications.

    • alerts_filter object

      Additional properties are allowed.

    • frequency object

      The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals).

      Hide frequency attributes Show frequency attributes object

      • notify_when string Required

        The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

        Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

      • summary boolean Required

        Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

      • throttle string Required

        Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days.

        Format should match the following pattern: ^[1-9]\d*[smhd]$.

    • group string Required

      Groups actions by use cases. Use default for alert notifications.

    • id string Required

      The connector ID.

    • params object Required

      Object containing the allowed connector fields, which varies according to the connector type.

      Additional properties are allowed.

    • uuid string(nonempty)

      A string that does not contain only whitespace characters.

      Minimum length is 1.

    Hide attributes Show attributes

    • action_type_id string Required

      The action type used for sending notifications.

    • id string Required

      The connector ID.

    • params object Required

      Object containing the allowed connector fields, which varies according to the connector type.

      Additional properties are allowed.

    • uuid string(nonempty)

      A string that does not contain only whitespace characters.

      Minimum length is 1.

  • created_at string(date-time) Required

    The date the schedule was created

  • created_by string Required

    The name of the user that created the schedule

  • enabled boolean Required

    Indicates whether the schedule is enabled

  • id string Required

    UUID of attack discovery schedule

  • last_execution object

    An attack discovery schedule execution information

    Hide last_execution attributes Show last_execution attributes object

    • date string(date-time) Required

      Date of the execution

    • duration number

      Duration of the execution

    • message string
    • status string Required

      An attack discovery schedule execution status

      Values are ok, active, error, unknown, or warning.

  • name string Required

    The name of the schedule

  • params object Required

    An attack discovery schedule params

    Hide params attributes Show params attributes object

    • alerts_index_pattern string Required

      The index pattern to get alerts from

    • api_config object Required

      LLM API configuration.

      Hide api_config attributes Show api_config attributes object

      • actionTypeId string Required

        Action type ID

      • connectorId string Required

        Connector ID

      • defaultSystemPromptId string

        Default system prompt ID

      • model string

        Model

      • provider string

        Provider

        Values are OpenAI, Azure OpenAI, or Other.

      • name string Required

        The name of the connector

    • combined_filter object

      Additional properties are allowed.

    • end string
    • filters array

      The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array.

    • query object

      An query condition to filter alerts

      Hide query attributes Show query attributes object

      • language string Required

      • query string | object Required

        One of:

        string-1 string object-2 object

        Additional properties are allowed.

    • size number Required
    • start string
  • schedule object Required
    Hide schedule attribute Show schedule attribute object

    • interval string Required

      The schedule interval

  • updated_at string(date-time) Required

    The date the schedule was updated

  • updated_by string Required

    The name of the user that updated the schedule

• 400 application/json

  Generic Error

  Hide response attributes Show response attributes object

  • error string

    Error type

  • message string

    Human-readable error message describing what went wrong

  • status_code number

    HTTP status code